pq-code-package · willieyz · Aug 7, 2025 · Aug 7, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -10,6 +10,7 @@
 
 #if defined(MLDSA_DEBUG)
 
+#include <inttypes.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include "debug.h"
@@ -27,8 +28,8 @@ void mld_debug_check_assert(const char *file, int line, const int val)
 }
 
 void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
-                            unsigned len, int lower_bound_exclusive,
-                            int upper_bound_exclusive)
+                            unsigned len, int64_t lower_bound_exclusive,
+                            int64_t upper_bound_exclusive)
 {
   int err = 0;
   unsigned i;
@@ -37,12 +38,12 @@ void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
     int32_t val = ptr[i];
     if (!(val > lower_bound_exclusive && val < upper_bound_exclusive))
     {
-      fprintf(
-          stderr,
-          MLD_DEBUG_ERROR_HEADER
-          "Bounds assertion failed: Index %u, value %d out of bounds (%d,%d)\n",
-          file, line, i, (int)val, lower_bound_exclusive,
-          upper_bound_exclusive);
+      fprintf(stderr,
+              MLD_DEBUG_ERROR_HEADER
+              "Bounds assertion failed: Index %u, value %d out of bounds "
+              "(%" PRId64 ",%" PRId64 ")\n",
+              file, line, i, (int)val, lower_bound_exclusive,
+              upper_bound_exclusive);
       err = 1;
     }
   }

@@ -43,8 +43,8 @@ void mld_debug_check_assert(const char *file, int line, const int val);
  **************************************************/
 #define mld_debug_check_bounds MLD_NAMESPACE(mldsa_debug_check_bounds)
 void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
-                            unsigned len, int lower_bound_exclusive,
-                            int upper_bound_exclusive);
+                            unsigned len, int64_t lower_bound_exclusive,
+                            int64_t upper_bound_exclusive);
 
 /* Check assertion, calling exit() upon failure
  *
@@ -60,14 +60,15 @@ void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
  * value_ub: Exclusive upper value bound */
 #define mld_assert_bound(ptr, len, value_lb, value_ub)                      \
   mld_debug_check_bounds(__FILE__, __LINE__, (const int32_t *)(ptr), (len), \
-                         (value_lb) - 1, (value_ub))
+                         ((int64_t)(value_lb)) - 1, (value_ub))
 
 /* Check absolute bounds in array of int32_t's
  * ptr: Base of array, expression of type int32_t*
  * len: Number of int32_t in array
  * value_abs_bd: Exclusive absolute upper bound */
-#define mld_assert_abs_bound(ptr, len, value_abs_bd) \
-  mld_assert_bound((ptr), (len), (-(value_abs_bd) + 1), (value_abs_bd))
+#define mld_assert_abs_bound(ptr, len, value_abs_bd)               \
+  mld_assert_bound((ptr), (len), (-((int64_t)(value_abs_bd)) + 1), \
+                   (value_abs_bd))
 
 /* Version of bounds assertions for 2-dimensional arrays */
 #define mld_assert_bound_2d(ptr, len0, len1, value_lb, value_ub) \

@@ -12,7 +12,7 @@
 /* Absolute exclusive upper bound for the output of the forward NTT */
 #define MLD_NTT_BOUND (9 * MLDSA_Q)
 /* Absolute exclusive upper bound for the output of the inverse NTT*/
-#define MLD_INTT_BOUND 4211139
+#define MLD_INTT_BOUND MLDSA_Q
 
 #define mld_ntt MLD_NAMESPACE(ntt)
 /*************************************************

@@ -18,9 +18,7 @@
 void mld_poly_reduce(mld_poly *a)
 {
   unsigned int i;
-  /* TODO: Introduce the following after using inclusive lower bounds in
-   * the underlying debug function mld_debug_check_bounds(). */
-  /* mld_assert_bound(a->coeffs, MLDSA_N, INT32_MIN, REDUCE32_DOMAIN_MAX); */
+  mld_assert_bound(a->coeffs, MLDSA_N, INT32_MIN, REDUCE32_DOMAIN_MAX);
 
   for (i = 0; i < MLDSA_N; ++i)
   __loop__(
@@ -74,6 +72,8 @@ void mld_poly_add(mld_poly *r, const mld_poly *b)
 void mld_poly_sub(mld_poly *r, const mld_poly *b)
 {
   unsigned int i;
+  mld_assert_abs_bound(b->coeffs, MLDSA_N, MLDSA_Q);
+  mld_assert_abs_bound(r->coeffs, MLDSA_N, MLDSA_Q);
 
   for (i = 0; i < MLDSA_N; ++i)
   __loop__(
@@ -84,6 +84,8 @@ void mld_poly_sub(mld_poly *r, const mld_poly *b)
   {
     r->coeffs[i] = r->coeffs[i] - b->coeffs[i];
   }
+
+  mld_assert_bound(r->coeffs, MLDSA_N, INT32_MIN, REDUCE32_DOMAIN_MAX);
 }
 
 void mld_poly_shiftl(mld_poly *a)
@@ -102,6 +104,7 @@ void mld_poly_shiftl(mld_poly *a)
      */
     a->coeffs[i] *= (1 << MLDSA_D);
   }
+  mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
 }
 
 #if !defined(MLD_USE_NATIVE_NTT)
@@ -132,7 +135,7 @@ void mld_poly_invntt_tomont(mld_poly *a)
 {
   mld_assert_abs_bound(a->coeffs, MLDSA_N, MLDSA_Q);
   mld_intt_native(a->coeffs);
-  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLDSA_Q);
+  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLD_INTT_BOUND);
 }
 #endif /* MLD_USE_NATIVE_INTT */
 
@@ -141,6 +144,9 @@ void mld_poly_pointwise_montgomery(mld_poly *c, const mld_poly *a,
 {
   unsigned int i;
 
+  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLD_NTT_BOUND);
+  mld_assert_abs_bound(b->coeffs, MLDSA_N, MLD_NTT_BOUND);
+
   for (i = 0; i < MLDSA_N; ++i)
   __loop__(
     invariant(i <= MLDSA_N)
@@ -149,6 +155,8 @@ void mld_poly_pointwise_montgomery(mld_poly *c, const mld_poly *a,
   {
     c->coeffs[i] = mld_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
   }
+
+  mld_assert_abs_bound(c->coeffs, MLDSA_N, MLDSA_Q);
 }
 
 void mld_poly_power2round(mld_poly *a1, mld_poly *a0, const mld_poly *a)
@@ -210,6 +218,7 @@ unsigned int mld_poly_make_hint(mld_poly *h, const mld_poly *a0,
   }
 
   mld_assert(s <= MLDSA_N);
+  mld_assert_bound(h->coeffs, MLDSA_N, 0, 2);
   return s;
 }
 
@@ -306,6 +315,7 @@ __contract__(
 {
   unsigned int ctr, pos;
   uint32_t t;
+  mld_assert_bound(a, offset, 0, MLDSA_Q);
 
 /* TODO: CBMC proof based on mld_rej_uniform_native */
 #if defined(MLD_USE_NATIVE_REJ_UNIFORM)
@@ -341,6 +351,8 @@ __contract__(
     }
   }
 
+  mld_assert_bound(a, ctr, 0, MLDSA_Q);
+
   return ctr;
 }
 
@@ -376,6 +388,7 @@ void mld_poly_uniform(mld_poly *a, const uint8_t seed[MLDSA_SEEDBYTES + 2])
     ctr = mld_rej_uniform(a->coeffs, MLDSA_N, ctr, buf, buflen);
   }
   mld_xof128_release(&state);
+  mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
@@ -435,6 +448,11 @@ void mld_poly_uniform_4x(mld_poly *vec0, mld_poly *vec1, mld_poly *vec2,
   }
   mld_xof128_x4_release(&state);
 
+  mld_assert_bound(vec0->coeffs, MLDSA_N, 0, MLDSA_Q);
+  mld_assert_bound(vec1->coeffs, MLDSA_N, 0, MLDSA_Q);
+  mld_assert_bound(vec2->coeffs, MLDSA_N, 0, MLDSA_Q);
+  mld_assert_bound(vec3->coeffs, MLDSA_N, 0, MLDSA_Q);
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
 }
@@ -496,6 +514,7 @@ __contract__(
   unsigned int ctr, pos;
   int t_valid;
   uint32_t t0, t1;
+  mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
 
 /* TODO: CBMC proof based on mld_rej_uniform_eta2_native */
 #if MLDSA_ETA == 2 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA2)
@@ -573,6 +592,8 @@ __contract__(
 #endif /* MLDSA_ETA != 2 && MLDSA_ETA != 4 */
   }
 
+  mld_assert_abs_bound(a, ctr, MLDSA_ETA + 1);
+
   return ctr;
 }
 
@@ -649,6 +670,11 @@ void mld_poly_uniform_eta_4x(mld_poly *r0, mld_poly *r1, mld_poly *r2,
 
   mld_xof256_x4_release(&state);
 
+  mld_assert_abs_bound(r0->coeffs, MLDSA_N, MLDSA_ETA + 1);
+  mld_assert_abs_bound(r1->coeffs, MLDSA_N, MLDSA_ETA + 1);
+  mld_assert_abs_bound(r2->coeffs, MLDSA_N, MLDSA_ETA + 1);
+  mld_assert_abs_bound(r3->coeffs, MLDSA_N, MLDSA_ETA + 1);
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
   mld_zeroize(extseed, sizeof(extseed));
@@ -676,6 +702,8 @@ void mld_poly_uniform_gamma1(mld_poly *a, const uint8_t seed[MLDSA_CRHBYTES],
 
   mld_xof256_release(&state);
 
+  mld_assert_bound(a->coeffs, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1);
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
   mld_zeroize(extseed, sizeof(extseed));
@@ -719,6 +747,11 @@ void mld_poly_uniform_gamma1_4x(mld_poly *r0, mld_poly *r1, mld_poly *r2,
   mld_polyz_unpack(r3, buf[3]);
   mld_xof256_x4_release(&state);
 
+  mld_assert_bound(r0->coeffs, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1);
+  mld_assert_bound(r1->coeffs, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1);
+  mld_assert_bound(r2->coeffs, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1);
+  mld_assert_bound(r3->coeffs, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1);
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
   mld_zeroize(extseed, sizeof(extseed));
@@ -796,11 +829,11 @@ void mld_poly_challenge(mld_poly *c, const uint8_t seed[MLDSA_CTILDEBYTES])
     signs >>= 1;
   }
 
+  mld_assert_bound(c->coeffs, MLDSA_N, -1, 2);
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(buf, sizeof(buf));
   mld_zeroize(&signs, sizeof(signs));
-
-  mld_assert_bound(c->coeffs, MLDSA_N, -1, 2);
 }
 
 void mld_polyeta_pack(uint8_t *r, const mld_poly *a)