Skip to content

[TEST] Reduce crypto_sign_signature_internal stack usage #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
mkannwischer wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

[TEST] Reduce crypto_sign_signature_internal stack usage #791

mkannwischer wants to merge 12 commits into from

Conversation

@mkannwischer
Copy link
Contributor

@mkannwischer mkannwischer commented Dec 15, 2025

No description provided.

This was referenced Dec 15, 2025
Closed
Closed
hanno-becker and others added 12 commits December 17, 2025 16:42
@hanno-becker @mkannwischer
Introduce mld_polymat_get_row() helper function
c15215f 
- Add mld_polymat_get_row() to retrieve matrix row pointer
- Update mld_polyvec_matrix_pointwise_montgomery() to use helper

Addresses #738 (steps 2-3 of #736)

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker @mkannwischer
Add configuration option for reduced memory usage
4f2a1aa 
Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker @mkannwischer
[TEST] Enable reduced RAM option by default
24a2d2a 
Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@mkannwischer
verify stack usage: Reuse t1/w1 polyveck
d5f7fe6 
crypto_sign_verify_internal stack:

before: 26928/37232/49776
after: 22784/31040/41536

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
verify stack usage: reuse mat/c2 buffer
33ae864 
crypto_sign_verify_internal stack: 21743/30016/40515

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
verify stack usage: Unpack h on the fly
77b9c0c 
crypto_sign_verify_internal stack: 17664/24864/33312

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
verify stack usage: unpack t1 on the fly + share tmp/mat buffer
5c3053b 
crypto_sign_verify_internal stack: 14592/19744/26144

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
verify stack usage: reuse z/cp buffer
90a2202 
crypto_sign_verify_internal stack: 13568/18720/25120

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
sign stack usage: reuse y/h buffer
10c1620 
71168 -> 64000

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
sign stack usage: unpack t0 repeatedly
3d87495 
64000 -> 55808

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
sign stack usage: unpack s1/s2 repeatedly
7a35665 
55808 -> 40448

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
sign stack usage: compute z incrementally
1fa9c2c 
40448 -> 34304

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
89b07cf 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer mentioned this pull request Dec 30, 2025
Open
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
f04e332 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
ed02e9f 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
b08a7e2 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
e80c8af 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 30, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
afab015 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
WIP: sign stack usage: compute z incrementally
6577bc5 
Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
01d6afc 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
691c8ca 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
12f780b 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
The computation of z is moved into a separate function (compute_pack_z) to
vastly speed up the CBMC proofs.

De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer mentioned this pull request Dec 31, 2025
Open
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
3c55121 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
72b6861 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Dec 31, 2025
@mkannwischer
sign stack usage: compute z incrementally
8990471 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
The computation of z is moved into a separate function (compute_pack_z) to
vastly speed up the CBMC proofs.

De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
7436be9 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
0d691ad 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
The computation of z is moved into a separate function (compute_pack_z) to
vastly speed up the CBMC proofs.

De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
1574d3e 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
The computation of z is moved into a separate function (compute_pack_z) to
vastly speed up the CBMC proofs.

De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
bc6dd9a 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
3f46773 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
The computation of z is moved into a separate function (compute_pack_z) to
vastly speed up the CBMC proofs.

De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
sign stack usage: compute z incrementally
c9c8c71 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkannwischer @hanno-becker