From 8de8b7af03e3d0575267826251491bb98b733e60 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 28 Jun 2024 10:55:34 +0200 Subject: [PATCH 1/5] more ct and more benchmarks --- libcrux-ml-kem/benches/ml-kem.rs | 331 ++++++++++++++---------- libcrux-ml-kem/src/constant_time_ops.rs | 47 ++-- 2 files changed, 229 insertions(+), 149 deletions(-) diff --git a/libcrux-ml-kem/benches/ml-kem.rs b/libcrux-ml-kem/benches/ml-kem.rs index f8bc8f718..603b23f1c 100644 --- a/libcrux-ml-kem/benches/ml-kem.rs +++ b/libcrux-ml-kem/benches/ml-kem.rs @@ -5,160 +5,223 @@ use criterion::{criterion_group, criterion_main, BatchSize, Criterion}; use rand_core::OsRng; use rand_core::RngCore; -use libcrux_ml_kem::mlkem768; +use libcrux_ml_kem::{mlkem1024, mlkem512, mlkem768}; -pub fn comparisons_key_generation(c: &mut Criterion) { +pub fn key_generation(c: &mut Criterion) { let mut rng = OsRng; - let mut group = c.benchmark_group("Kyber768 Key Generation"); + + macro_rules! fun { + ($name:expr, $p:path, $group:expr) => { + $group.bench_function(format!("libcrux {} (external random)", $name), |b| { + use $p as p; + + let mut seed = [0; 64]; + rng.fill_bytes(&mut seed); + b.iter(|| { + let _kp = core::hint::black_box(p::generate_key_pair(seed)); + }) + }); + }; + } + + let mut group = c.benchmark_group("ML-KEM 512 Key Generation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem512::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem512::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem512::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 768 Key Generation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem768::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem768::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem768::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 1024 Key Generation"); group.measurement_time(Duration::from_secs(10)); - group.bench_function("libcrux portable (external random)", |b| { - let mut seed = [0; 64]; - rng.fill_bytes(&mut seed); - b.iter(|| { - let _kp = mlkem768::generate_key_pair(seed); - }) - }); - - // group.bench_function("libcrux portable (HACL-DRBG)", |b| { - // b.iter(|| { - // let (_secret_key, _public_key) = - // libcrux::kem::key_gen(Algorithm::MlKem768, &mut drbg).unwrap(); - // }) - // }); - - // group.bench_function("libcrux portable (OsRng)", |b| { - // b.iter(|| { - // let (_secret_key, _public_key) = - // libcrux::kem::key_gen(Algorithm::MlKem768, &mut rng).unwrap(); - // }) - // }); - - // group.bench_function("pqclean reference implementation", |b| { - // b.iter(|| { - // let (_public_key, _secret_key) = pqcrypto_kyber::kyber768::keypair(); - // }) - // }); + fun!("portable", mlkem1024::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem1024::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem1024::avx2, group); } -pub fn comparisons_pk_validation(c: &mut Criterion) { +pub fn pk_validation(c: &mut Criterion) { let mut rng = OsRng; - let mut group = c.benchmark_group("Kyber768 PK Validation"); + + macro_rules! fun { + ($name:expr, $p:path, $group:expr) => { + $group.bench_function(format!("libcrux {}", $name), |b| { + use $p as p; + + let mut seed = [0; 64]; + rng.fill_bytes(&mut seed); + b.iter_batched( + || { + let keypair = p::generate_key_pair(seed); + keypair.public_key().as_slice().into() + }, + |public_key| { + let _valid = black_box(p::validate_public_key(public_key)); + }, + BatchSize::SmallInput, + ) + }); + }; + } + + let mut group = c.benchmark_group("ML-KEM 512 PK Validation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem512::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem512::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem512::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 768 PK Validation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem768::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem768::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem768::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 1024 PK Validation"); group.measurement_time(Duration::from_secs(10)); - group.bench_function("libcrux portable", |b| { - let mut seed = [0; 64]; - rng.fill_bytes(&mut seed); - b.iter_batched( - || { - let keypair = mlkem768::generate_key_pair(seed); - keypair.public_key().as_slice().into() - }, - |public_key| { - let _valid = black_box(mlkem768::validate_public_key(public_key)); - }, - BatchSize::SmallInput, - ) - }); + fun!("portable", mlkem1024::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem1024::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem1024::avx2, group); } -pub fn comparisons_encapsulation(c: &mut Criterion) { - let mut group = c.benchmark_group("Kyber768 Encapsulation"); +pub fn encapsulation(c: &mut Criterion) { + macro_rules! fun { + ($name:expr, $p:path, $group:expr) => { + $group.bench_function(format!("libcrux {} (external random)", $name), |b| { + use $p as p; + + let mut seed1 = [0; 64]; + OsRng.fill_bytes(&mut seed1); + let mut seed2 = [0; 32]; + OsRng.fill_bytes(&mut seed2); + b.iter_batched( + || p::generate_key_pair(seed1), + |keypair| { + let (_shared_secret, _ciphertext) = + black_box(p::encapsulate(keypair.public_key(), seed2)); + }, + BatchSize::SmallInput, + ) + }); + }; + } + + let mut group = c.benchmark_group("ML-KEM 512 Encapsulation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem512::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem512::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem512::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 768 Encapsulation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem768::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem768::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem768::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 1024 Encapsulation"); group.measurement_time(Duration::from_secs(10)); - group.bench_function("libcrux portable (external random)", |b| { - let mut seed1 = [0; 64]; - OsRng.fill_bytes(&mut seed1); - let mut seed2 = [0; 32]; - OsRng.fill_bytes(&mut seed2); - b.iter_batched( - || mlkem768::generate_key_pair(seed1), - |keypair| { - let (_shared_secret, _ciphertext) = - mlkem768::encapsulate(keypair.public_key(), seed2); - }, - BatchSize::SmallInput, - ) - }); - - // group.bench_function("libcrux portable", |b| { - // b.iter_batched( - // || { - // let mut drbg = Drbg::new(digest::Algorithm::Sha256).unwrap(); - // let (_secret_key, public_key) = - // libcrux::kem::key_gen(Algorithm::MlKem768, &mut drbg).unwrap(); - - // (drbg, public_key) - // }, - // |(mut rng, public_key)| { - // let (_shared_secret, _ciphertext) = public_key.encapsulate(&mut rng).unwrap(); - // }, - // BatchSize::SmallInput, - // ) - // }); - - // group.bench_function("pqclean reference implementation", |b| { - // b.iter_batched( - // || { - // let (public_key, _secret_key) = pqcrypto_kyber::kyber768::keypair(); - - // public_key - // }, - // |public_key| { - // let (_shared_secret, _ciphertext) = - // pqcrypto_kyber::kyber768::encapsulate(&public_key); - // }, - // BatchSize::SmallInput, - // ) - // }); + fun!("portable", mlkem1024::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem1024::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem1024::avx2, group); } -pub fn comparisons_decapsulation(c: &mut Criterion) { - let mut group = c.benchmark_group("Kyber768 Decapsulation"); +pub fn decapsulation(c: &mut Criterion) { + macro_rules! fun { + ($name:expr, $p:path, $group:expr) => { + $group.bench_function(format!("libcrux {}", $name), |b| { + use $p as p; + + let mut seed1 = [0; 64]; + OsRng.fill_bytes(&mut seed1); + let mut seed2 = [0; 32]; + OsRng.fill_bytes(&mut seed2); + b.iter_batched( + || { + let keypair = p::generate_key_pair(seed1); + let (ciphertext, _shared_secret) = + p::encapsulate(keypair.public_key(), seed2); + (keypair, ciphertext) + }, + |(keypair, ciphertext)| { + let _shared_secret = + black_box(p::decapsulate(keypair.private_key(), &ciphertext)); + }, + BatchSize::SmallInput, + ) + }); + }; + } + + let mut group = c.benchmark_group("ML-KEM 512 Decapsulation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem512::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem512::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem512::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 768 Decapsulation"); + group.measurement_time(Duration::from_secs(10)); + + fun!("portable", mlkem768::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem768::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem768::avx2, group); + drop(group); + + let mut group = c.benchmark_group("ML-KEM 1024 Decapsulation"); group.measurement_time(Duration::from_secs(10)); - group.bench_function("libcrux portable", |b| { - let mut seed1 = [0; 64]; - OsRng.fill_bytes(&mut seed1); - let mut seed2 = [0; 32]; - OsRng.fill_bytes(&mut seed2); - b.iter_batched( - || { - let keypair = mlkem768::generate_key_pair(seed1); - let (ciphertext, _shared_secret) = - mlkem768::encapsulate(keypair.public_key(), seed2); - (keypair, ciphertext) - }, - |(keypair, ciphertext)| { - let _shared_secret = mlkem768::decapsulate(keypair.private_key(), &ciphertext); - }, - BatchSize::SmallInput, - ) - }); - - // group.bench_function("pqclean reference implementation", |b| { - // b.iter_batched( - // || { - // let (public_key, secret_key) = pqcrypto_kyber::kyber768::keypair(); - // let (_shared_secret, ciphertext) = - // pqcrypto_kyber::kyber768::encapsulate(&public_key); - - // (ciphertext, secret_key) - // }, - // |(ciphertext, secret_key)| { - // let _shared_secret = - // pqcrypto_kyber::kyber768::decapsulate(&ciphertext, &secret_key); - // }, - // BatchSize::SmallInput, - // ) - // }); + fun!("portable", mlkem1024::portable, group); + #[cfg(feature = "simd128")] + fun!("neon", mlkem1024::neon, group); + #[cfg(feature = "simd256")] + fun!("neon", mlkem1024::avx2, group); } pub fn comparisons(c: &mut Criterion) { - comparisons_pk_validation(c); - comparisons_key_generation(c); - comparisons_encapsulation(c); - comparisons_decapsulation(c); + pk_validation(c); + key_generation(c); + encapsulation(c); + decapsulation(c); } criterion_group!(benches, comparisons); diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 2bb8e9bd1..3e37bda63 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -1,6 +1,11 @@ use crate::constants::SHARED_SECRET_SIZE; use crate::hax_utils::hax_debug_assert; +// These are crude attempts to prevent LLVM from optimizing away the code in this +// module. This is not guaranteed to work but at the time of writing, achieved +// its goals. +// `read_volatile` could be used as well but seems unnecessary at this point in +// time. // Examine the output that LLVM produces for this code from time to time to ensure // operations are not being optimized away/constant-timedness is not being broken. @@ -9,31 +14,30 @@ use crate::hax_utils::hax_debug_assert; hax_lib::implies(value == 0, || result == 0) && hax_lib::implies(value != 0, || result == 1) ))] -#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -fn is_non_zero(value: u8) -> u8 { +fn inz(value: u8) -> u8 { let value = value as u16; - let result = ((value | (!value).wrapping_add(1)) >> 8) & 1; - result as u8 } +#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. +fn is_non_zero(value: u8) -> u8 { + core::hint::black_box(inz(value)) +} + /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. #[cfg_attr(hax, hax_lib::ensures(|result| hax_lib::implies(lhs == rhs, || result == 0) && hax_lib::implies(lhs != rhs, || result == 1) ))] -pub(crate) fn compare_ciphertexts_in_constant_time( - lhs: &[u8], - rhs: &[u8], -) -> u8 { +fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { hax_debug_assert!(lhs.len() == rhs.len()); hax_debug_assert!(lhs.len() == CIPHERTEXT_SIZE); let mut r: u8 = 0; - for i in 0..CIPHERTEXT_SIZE { - r |= lhs[i] ^ rhs[i]; + for i in 0..SIZE { + r = r | (lhs[i] ^ rhs[i]); } is_non_zero(r) @@ -45,11 +49,7 @@ pub(crate) fn compare_ciphertexts_in_constant_time hax_lib::implies(selector == 0, || result == lhs) && hax_lib::implies(selector != 0, || result == rhs) ))] -pub(crate) fn select_shared_secret_in_constant_time( - lhs: &[u8], - rhs: &[u8], - selector: u8, -) -> [u8; SHARED_SECRET_SIZE] { +pub(crate) fn select(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { hax_debug_assert!(lhs.len() == rhs.len()); hax_debug_assert!(lhs.len() == SHARED_SECRET_SIZE); @@ -62,3 +62,20 @@ pub(crate) fn select_shared_secret_in_constant_time( out } + +#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. +pub(crate) fn compare_ciphertexts_in_constant_time( + lhs: &[u8], + rhs: &[u8], +) -> u8 { + core::hint::black_box(compare::(lhs, rhs)) +} + +#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. +pub(crate) fn select_shared_secret_in_constant_time( + lhs: &[u8], + rhs: &[u8], + selector: u8, +) -> [u8; SHARED_SECRET_SIZE] { + core::hint::black_box(select(lhs, rhs, selector)) +} From aadb8476fbcba1dd38150f4d4ebf661d858b45b4 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 1 Jul 2024 16:39:06 +0200 Subject: [PATCH 2/5] fixup benchmarks --- libcrux-ml-kem/benches/ml-kem.rs | 141 +++++++------------------------ 1 file changed, 29 insertions(+), 112 deletions(-) diff --git a/libcrux-ml-kem/benches/ml-kem.rs b/libcrux-ml-kem/benches/ml-kem.rs index 603b23f1c..486f3a4d3 100644 --- a/libcrux-ml-kem/benches/ml-kem.rs +++ b/libcrux-ml-kem/benches/ml-kem.rs @@ -7,6 +7,23 @@ use rand_core::RngCore; use libcrux_ml_kem::{mlkem1024, mlkem512, mlkem768}; +macro_rules! init { + ($version:path, $bench:expr, $c:expr) => {{ + let mut group = $c.benchmark_group(format!("ML-KEM {} {}", stringify!($version), $bench)); + group.measurement_time(Duration::from_secs(10)); + + use $version as version; + #[cfg(feature = "pre-verification")] + fun!("portable", version::portable, group); + #[cfg(all(feature = "simd128", feature = "pre-verification"))] + fun!("neon", version::neon, group); + #[cfg(all(feature = "simd256", feature = "pre-verification"))] + fun!("neon", version::avx2, group); + #[cfg(not(feature = "pre-verification"))] + fun!("verified", version, group); + }}; +} + pub fn key_generation(c: &mut Criterion) { let mut rng = OsRng; @@ -24,34 +41,9 @@ pub fn key_generation(c: &mut Criterion) { }; } - let mut group = c.benchmark_group("ML-KEM 512 Key Generation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem512::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem512::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem512::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 768 Key Generation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem768::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem768::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem768::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 1024 Key Generation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem1024::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem1024::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem1024::avx2, group); + init!(mlkem512, "Key Generation", c); + init!(mlkem768, "Key Generation", c); + init!(mlkem1024, "Key Generation", c); } pub fn pk_validation(c: &mut Criterion) { @@ -78,34 +70,9 @@ pub fn pk_validation(c: &mut Criterion) { }; } - let mut group = c.benchmark_group("ML-KEM 512 PK Validation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem512::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem512::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem512::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 768 PK Validation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem768::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem768::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem768::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 1024 PK Validation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem1024::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem1024::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem1024::avx2, group); + init!(mlkem512, "PK Validation", c); + init!(mlkem768, "PK Validation", c); + init!(mlkem1024, "PK Validation", c); } pub fn encapsulation(c: &mut Criterion) { @@ -130,34 +97,9 @@ pub fn encapsulation(c: &mut Criterion) { }; } - let mut group = c.benchmark_group("ML-KEM 512 Encapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem512::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem512::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem512::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 768 Encapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem768::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem768::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem768::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 1024 Encapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem1024::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem1024::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem1024::avx2, group); + init!(mlkem512, "Encapsulation", c); + init!(mlkem768, "Encapsulation", c); + init!(mlkem1024, "Encapsulation", c); } pub fn decapsulation(c: &mut Criterion) { @@ -187,34 +129,9 @@ pub fn decapsulation(c: &mut Criterion) { }; } - let mut group = c.benchmark_group("ML-KEM 512 Decapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem512::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem512::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem512::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 768 Decapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem768::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem768::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem768::avx2, group); - drop(group); - - let mut group = c.benchmark_group("ML-KEM 1024 Decapsulation"); - group.measurement_time(Duration::from_secs(10)); - - fun!("portable", mlkem1024::portable, group); - #[cfg(feature = "simd128")] - fun!("neon", mlkem1024::neon, group); - #[cfg(feature = "simd256")] - fun!("neon", mlkem1024::avx2, group); + init!(mlkem512, "Decapsulation", c); + init!(mlkem768, "Decapsulation", c); + init!(mlkem1024, "Decapsulation", c); } pub fn comparisons(c: &mut Criterion) { From 836a1626ae15369405b10b5eac4b03eb65a4cd7b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 1 Jul 2024 16:40:38 +0200 Subject: [PATCH 3/5] fixup --- libcrux-ml-kem/src/constant_time_ops.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 3e37bda63..65cc46b1b 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -37,7 +37,7 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { let mut r: u8 = 0; for i in 0..SIZE { - r = r | (lhs[i] ^ rhs[i]); + r |= r (lhs[i] ^ rhs[i]); } is_non_zero(r) From db5a91ea8fd67627096a36f028bcf88bebc4bdc3 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 2 Jul 2024 09:23:26 +0200 Subject: [PATCH 4/5] fixups for C generation Updated c, cg, and proofs --- libcrux-ml-kem/c/code_gen.txt | 4 +- libcrux-ml-kem/c/internal/libcrux_core.h | 19 +- .../c/internal/libcrux_mlkem_avx2.h | 4 +- .../c/internal/libcrux_mlkem_portable.h | 4 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 4 +- .../c/internal/libcrux_sha3_internal.h | 4 +- libcrux-ml-kem/c/libcrux_core.c | 85 +- libcrux-ml-kem/c/libcrux_core.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 10 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 10 +- libcrux-ml-kem/c/libcrux_mlkem_portable.h | 4 +- libcrux-ml-kem/c/libcrux_sha3.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 4 +- libcrux-ml-kem/c/libcrux_sha3_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_neon.c | 4 +- libcrux-ml-kem/c/libcrux_sha3_neon.h | 4 +- libcrux-ml-kem/cg/libcrux_core.h | 61 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 2 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 2 +- .../Libcrux_ml_kem.Constant_time_ops.fst | 19 +- .../Libcrux_ml_kem.Constant_time_ops.fsti | 14 +- ...ml_kem.Ind_cca.Instantiations.Portable.fst | 10 +- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 2 +- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 4 +- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 20 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 5 +- ...crux_ml_kem.Vector.Portable.Arithmetic.fst | 333 ++ ...rux_ml_kem.Vector.Portable.Arithmetic.fsti | 127 + ...ibcrux_ml_kem.Vector.Portable.Compress.fst | 148 + ...bcrux_ml_kem.Vector.Portable.Compress.fsti | 65 + .../Libcrux_ml_kem.Vector.Portable.Ntt.fst | 2128 ++++++++++++ .../Libcrux_ml_kem.Vector.Portable.Ntt.fsti | 70 + ...ibcrux_ml_kem.Vector.Portable.Sampling.fst | 46 + ...bcrux_ml_kem.Vector.Portable.Sampling.fsti | 7 + ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 2854 +++++++++++++++++ ...crux_ml_kem.Vector.Portable.Serialize.fsti | 52 + ...rux_ml_kem.Vector.Portable.Vector_type.fst | 26 + ...ux_ml_kem.Vector.Portable.Vector_type.fsti | 11 + .../Libcrux_ml_kem.Vector.Portable.fsti | 533 ++- libcrux-ml-kem/src/constant_time_ops.rs | 28 +- libcrux-ml-kem/src/ind_cca.rs | 5 +- 58 files changed, 6612 insertions(+), 200 deletions(-) create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 6d88a77bf..0addeb43f 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -1,5 +1,5 @@ This code was generated with the following tools: -Charon: 23f20c184e51015582b7918ea4f1eb063b28daba -Eurydice: 30fdb50add4dabaee90051878c166bac8c5ac26a +Charon: aeeae1d46704810bf498db552a75dff15aa3abcc +Eurydice: ffeb01ce4cf0646e5cadec836bc042f98b8a16a8 Karamel: 42a431696cd32d41155d7e484720eb71fd5dc7b1 F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index 8ac7a4ebd..81044b3a4 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_core_H @@ -19,6 +19,9 @@ extern "C" { static inline uint32_t core_num__u8_6__count_ones(uint8_t x0); +uint8_t libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( + Eurydice_slice lhs, Eurydice_slice rhs); + #define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( @@ -74,10 +77,6 @@ uint8_t * libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1568size_t( libcrux_ml_kem_types_MlKemPublicKey____1568size_t *self); -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1568size_t( - Eurydice_slice lhs, Eurydice_slice rhs); - Eurydice_slice libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *self); @@ -106,10 +105,6 @@ uint8_t * libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1184size_t( libcrux_ml_kem_types_MlKemPublicKey____1184size_t *self); -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( - Eurydice_slice lhs, Eurydice_slice rhs); - Eurydice_slice libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self); @@ -138,10 +133,6 @@ uint8_t * libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___800size_t( libcrux_ml_kem_types_MlKemPublicKey____800size_t *self); -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( - Eurydice_slice lhs, Eurydice_slice rhs); - void libcrux_ml_kem_utils_into_padded_array___33size_t(Eurydice_slice slice, uint8_t ret[33U]); diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index ac8d14aac..f23bc2a57 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index 18964fd55..43e832113 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 29a372894..df601bd75 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index 9a5805f02..ef101d144 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 23efe21cf..d62ab9469 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -1,13 +1,13 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "internal/libcrux_core.h" -static uint8_t is_non_zero(uint8_t value) { +static uint8_t inz(uint8_t value) { uint16_t value0 = (uint16_t)value; uint16_t uu____0 = value0; uint16_t result = (((uint32_t)uu____0 | @@ -18,9 +18,29 @@ static uint8_t is_non_zero(uint8_t value) { return (uint8_t)result; } -void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { +static uint8_t is_non_zero(uint8_t value) { return inz(value); } + +static uint8_t compare(Eurydice_slice lhs, Eurydice_slice rhs) { + uint8_t r = 0U; + for (size_t i = (size_t)0U; + i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) { + size_t i0 = i; + uint8_t uu____0 = + Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); + r = (uint32_t)r | + ((uint32_t)uu____0 ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); + } + return is_non_zero(r); +} + +uint8_t libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( + Eurydice_slice lhs, Eurydice_slice rhs) { + return compare(lhs, rhs); +} + +static void select(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, + uint8_t ret[32U]) { uint8_t mask = core_num__u8_6__wrapping_sub(is_non_zero(selector), 1U); uint8_t out[32U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; @@ -36,6 +56,14 @@ void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( + Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, + uint8_t ret[32U]) { + uint8_t ret0[32U]; + select(lhs, rhs, selector, ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); +} + libcrux_ml_kem_types_MlKemPublicKey____1568size_t libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1568size_t( uint8_t value[1568U]) { @@ -80,21 +108,6 @@ libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice__ return self->value; } -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1568size_t( - Eurydice_slice lhs, Eurydice_slice rhs) { - uint8_t r = 0U; - for (size_t i = (size_t)0U; i < (size_t)1568U; i++) { - size_t i0 = i; - uint8_t uu____0 = - Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); - r = (uint32_t)r | - ((uint32_t)uu____0 ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); - } - return is_non_zero(r); -} - Eurydice_slice libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *self) { @@ -161,21 +174,6 @@ libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice__ return self->value; } -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( - Eurydice_slice lhs, Eurydice_slice rhs) { - uint8_t r = 0U; - for (size_t i = (size_t)0U; i < (size_t)1088U; i++) { - size_t i0 = i; - uint8_t uu____0 = - Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); - r = (uint32_t)r | - ((uint32_t)uu____0 ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); - } - return is_non_zero(r); -} - Eurydice_slice libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { @@ -242,21 +240,6 @@ libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice__ return self->value; } -uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( - Eurydice_slice lhs, Eurydice_slice rhs) { - uint8_t r = 0U; - for (size_t i = (size_t)0U; i < (size_t)768U; i++) { - size_t i0 = i; - uint8_t uu____0 = - Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); - r = (uint32_t)r | - ((uint32_t)uu____0 ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); - } - return is_non_zero(r); -} - void libcrux_ml_kem_utils_into_padded_array___33size_t(Eurydice_slice slice, uint8_t ret[33U]) { uint8_t out[33U] = {0U}; diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index f4c2f05d1..101af7af4 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 922027378..64cbaff23 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index ac85f2519..1dcffbca4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index 3452114a6..a115269bc 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 671517730..0cadffd74 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 6e842d3ff..a3b40514a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index f15e2be11..632d554f3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index 25e974408..434a77d45 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index 6ff1c669d..7e3c9ad59 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index 90a3fa4e6..a700803d2 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 1349dbf90..0473ae426 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index e65cbce2d..fcf3a6799 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 45e781db4..68dfb0c72 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index a0f3922ec..20eee8181 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index e30258c83..89d1a8d24 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 4b45aaf57..1be152502 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index e95360259..15531971a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "internal/libcrux_mlkem_avx2.h" @@ -4347,7 +4347,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; @@ -5853,7 +5853,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1568size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; @@ -7289,7 +7289,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___768size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index 653e4cb97..06de57786 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 0b24895b8..979b9c0e2 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "internal/libcrux_mlkem_portable.h" @@ -4812,7 +4812,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1568size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; @@ -6310,7 +6310,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; @@ -7738,7 +7738,7 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___768size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 68b2d4d50..2eb22a6dd 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 7559883ef..6e969860d 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index bcbd6859d..81cdca263 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "internal/libcrux_sha3_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 0280b1762..44d9d30a3 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 0a2911da7..e852db3a9 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index 2fbb85911..a6e2a15d8 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #include "libcrux_sha3_neon.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index 9a803b376..2d0f53e17 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 42a43169 + -funroll-loops 16 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* + version: KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_neon_H diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index d822e5644..a1ebccaf7 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -45,8 +45,7 @@ static inline uint32_t core_num__u8_6__count_ones(uint8_t x0); static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x0, uint8_t x1); -static inline uint8_t libcrux_ml_kem_constant_time_ops_is_non_zero( - uint8_t value) { +static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) { uint16_t value0 = (uint16_t)value; uint16_t uu____0 = value0; uint16_t result = (((uint32_t)uu____0 | @@ -57,12 +56,38 @@ static inline uint8_t libcrux_ml_kem_constant_time_ops_is_non_zero( return (uint8_t)result; } +static inline uint8_t libcrux_ml_kem_constant_time_ops_is_non_zero( + uint8_t value) { + return libcrux_ml_kem_constant_time_ops_inz(value); +} + +static inline uint8_t libcrux_ml_kem_constant_time_ops_compare( + Eurydice_slice lhs, Eurydice_slice rhs) { + uint8_t r = 0U; + for (size_t i = (size_t)0U; + i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) { + size_t i0 = i; + uint8_t uu____0 = + Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); + r = (uint32_t)r | + ((uint32_t)uu____0 ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); + } + return libcrux_ml_kem_constant_time_ops_is_non_zero(r); +} + +static inline uint8_t +libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( + Eurydice_slice lhs, Eurydice_slice rhs) { + return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs); +} + #define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) -static inline void -libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { +static inline void libcrux_ml_kem_constant_time_ops_select(Eurydice_slice lhs, + Eurydice_slice rhs, + uint8_t selector, + uint8_t ret[32U]) { uint8_t mask = core_num__u8_6__wrapping_sub( libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U); uint8_t out[32U] = {0U}; @@ -79,6 +104,15 @@ libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +static inline void +libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( + Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, + uint8_t ret[32U]) { + uint8_t ret0[32U]; + libcrux_ml_kem_constant_time_ops_select(lhs, rhs, selector, ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); +} + #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U) #define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) @@ -255,21 +289,6 @@ libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice__ return self->value; } -static inline uint8_t -libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( - Eurydice_slice lhs, Eurydice_slice rhs) { - uint8_t r = 0U; - for (size_t i = (size_t)0U; i < (size_t)1088U; i++) { - size_t i0 = i; - uint8_t uu____0 = - Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t); - r = (uint32_t)r | - ((uint32_t)uu____0 ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); - } - return libcrux_ml_kem_constant_time_ops_is_non_zero(r); -} - static inline void libcrux_ml_kem_utils_into_padded_array___33size_t( Eurydice_slice slice, uint8_t ret[33U]) { uint8_t out[33U] = {0U}; diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 26dd84eab..5a2915a0a 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -4220,7 +4220,7 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_lib libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index f8ee1b1c3..ceb834e84 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -4584,7 +4584,7 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_type_P libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext); uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( + libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); uint8_t implicit_rejection_shared_secret[32U]; diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 410036b86..1b196c8db 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -3,7 +3,7 @@ module Libcrux_ml_kem.Constant_time_ops open Core open FStar.Mul -let is_non_zero (value: u8) = +let inz (value: u8) = let value:u16 = cast (value <: u8) <: u16 in let result:u16 = ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. @@ -11,12 +11,17 @@ let is_non_zero (value: u8) = in cast (result <: u16) <: u8 -let compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) = +let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) + +let compare (lhs rhs: t_Slice u8) = let (r: u8):u8 = 0uy in let r:u8 = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range usize) - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_CIPHERTEXT_SIZE } + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 lhs <: usize + } <: Core.Ops.Range.t_Range usize) <: @@ -29,7 +34,10 @@ let compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_ in is_non_zero r -let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = +let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = + Core.Hint.black_box #u8 (compare lhs rhs <: u8) + +let select (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = @@ -54,3 +62,6 @@ let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = t_Array u8 (sz 32)) in out + +let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = + Core.Hint.black_box #(t_Array u8 (sz 32)) (select lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index fa256358d..98334cbde 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -4,7 +4,7 @@ open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val is_non_zero (value: u8) +val inz (value: u8) : Prims.Pure u8 Prims.l_True (ensures @@ -19,9 +19,11 @@ val is_non_zero (value: u8) let _:Prims.unit = temp_0_ in result =. 1uy <: bool)) +val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. -val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) +val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 Prims.l_True (ensures @@ -36,9 +38,12 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_ let _:Prims.unit = temp_0_ in result =. 1uy <: bool)) +val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. -val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) +val select (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (ensures @@ -52,3 +57,6 @@ val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) (fun temp_0_ -> let _:Prims.unit = temp_0_ in result =. rhs <: bool)) + +val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 1179aa8f4..e2742f95a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -8,7 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Ind_cca in - let open Libcrux_ml_kem.Vector in + let open Libcrux_ml_kem.Vector.Portable in () let decapsulate @@ -21,7 +21,7 @@ let decapsulate v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Portable.t_PortableVector + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem private_key ciphertext @@ -34,7 +34,7 @@ let encapsulate Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Portable.t_PortableVector + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem public_key randomness @@ -45,7 +45,7 @@ let validate_public_key Libcrux_ml_kem.Ind_cca.validate_public_key v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.t_PortableVector + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector public_key let generate_keypair @@ -55,5 +55,5 @@ let generate_keypair = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Portable.t_PortableVector + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 999e59e04..3de89c9b8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -8,7 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Ind_cca in - let open Libcrux_ml_kem.Vector in + let open Libcrux_ml_kem.Vector.Portable in () /// Portable decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 375453be9..1934676ec 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -252,8 +252,8 @@ let decapsulate decrypted pseudorandomness in let selector:u8 = - Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time v_CIPHERTEXT_SIZE - (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext + v_CIPHERTEXT_SIZE) #(t_Slice u8) ciphertext <: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 5842b2921..7f4b120a9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -123,7 +123,7 @@ let impl: t_Variant #t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (out: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> true); f_kdf @@ -138,11 +138,9 @@ let impl: t_Variant #t_MlKem = (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 (sz 32)) shared_secret - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)); + let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out shared_secret in + out); f_entropy_preprocess_pre = (fun @@ -163,7 +161,7 @@ let impl: t_Variant #t_MlKem = i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) - (out: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> true); f_entropy_preprocess @@ -176,11 +174,9 @@ let impl: t_Variant #t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 (sz 32)) randomness - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out randomness in + out } val decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 068b98360..678750f78 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -18,9 +18,8 @@ let deserialize_1_ (bytes: t_Slice u8) = let shift_lsb_to_msb:Core.Core_arch.X86.t____m256i = Libcrux_intrinsics.Avx2.mm256_set_epi16 (1s <>! 1l <: i32) + in + let quotient:i16 = cast (t >>! v_BARRETT_SHIFT <: i32) <: i16 in + value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) + +let montgomery_reduce_element (value: i32) = + let _:i32 = v_MONTGOMERY_R in + let k:i32 = + (cast (cast (value <: i32) <: i16) <: i32) *! + (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) + in + let k_times_modulus:i32 = + (cast (cast (k <: i32) <: i16) <: i32) *! + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + in + let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in + let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i16) = + montgomery_reduce_element ((cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) <: i32) + +let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + lhs + (fun lhs i -> + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + let i:usize = i in + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + lhs + +let barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (barrett_reduce_element (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let bitwise_and_with_constant + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c <: i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.(((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 0s + <: + bool) && + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <. 4096s + <: + bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: v.elements[i] >= 0 && v.elements[i] < 4096" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + if (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s + then + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + else v) + in + v + +let montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + c + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c <: i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! v_SHIFT_BY + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + lhs + (fun lhs i -> + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + let i:usize = i in + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + lhs diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti new file mode 100644 index 000000000..25b31823b --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti @@ -0,0 +1,127 @@ +module Libcrux_ml_kem.Vector.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +/// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ +let v_BARRETT_MULTIPLIER: i32 = 20159l + +let v_BARRETT_SHIFT: i32 = 26l + +let v_BARRETT_R: i32 = 1l < + let result:u32 = result in + result <. (Core.Num.impl__u32__pow 2ul (Core.Convert.f_into #u8 #u32 n <: u32) <: u32)) + +/// Signed Barrett Reduction +/// Given an input `value`, `barrett_reduce` outputs a representative `result` +/// such that: +/// - result ≡ value (mod FIELD_MODULUS) +/// - the absolute value of `result` is bound as follows: +/// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +val barrett_reduce_element (value: i16) + : Prims.Pure i16 + (requires + (Core.Convert.f_from #i32 #i16 value <: i32) >. (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i32) && + (Core.Convert.f_from #i32 #i16 value <: i32) <. v_BARRETT_R) + (ensures + fun result -> + let result:i16 = result in + result >. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) && + result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + +/// Signed Montgomery Reduction +/// Given an input `value`, `montgomery_reduce` outputs a representative `o` +/// such that: +/// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) +/// - the absolute value of `o` is bound as follows: +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. +val montgomery_reduce_element (value: i32) + : Prims.Pure i16 + (requires + value >=. + ((Core.Ops.Arith.Neg.neg (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + <: + i32) *! + v_MONTGOMERY_R + <: + i32) && + value <=. + ((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) *! v_MONTGOMERY_R + <: + i32)) + (ensures + fun result -> + let result:i16 = result in + result >=. + ((Core.Ops.Arith.Neg.neg (3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) + <: + i16) /! + 2s + <: + i16) && + result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16)) + +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to +/// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to +/// `x · y`, as follows: +/// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` +/// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative +/// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. +val montgomery_multiply_fe_by_fer (fe fer: i16) + : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val bitwise_and_with_constant + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst new file mode 100644 index 000000000..84d4f3596 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -0,0 +1,148 @@ +module Libcrux_ml_kem.Vector.Portable.Compress +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) = + let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in + cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.get_n_least_significant_bits coefficient_bits + (cast (compressed <: u64) <: u32) + <: + u32) + <: + i16 + +let compress_message_coefficient (fe: u16) = + let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in + let mask:i16 = shifted >>! 15l in + let shifted_to_positive:i16 = mask ^. shifted in + let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in + cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 + +let compress + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + v + +let decompress_ciphertext_coefficient + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let i:usize = i in + let decompressed:i32 = + (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) *! + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + in + let decompressed:i32 = + (decompressed <>! (v_COEFFICIENT_BITS +! 1l <: i32) in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (decompressed <: i32) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v) + in + v diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti new file mode 100644 index 000000000..8a078f1b0 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -0,0 +1,65 @@ +module Libcrux_ml_kem.Vector.Portable.Compress +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) + : Prims.Pure i16 + (requires + (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy || + coefficient_bits =. 11uy) && + fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) + (ensures + fun result -> + let result:i16 = result in + result >=. 0s && + result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16)) + +/// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS +/// 203 standard (Page 18, Expression 4.5), which is defined as: +/// ```plaintext +/// Compress_d: ℤq -> ℤ_{2ᵈ} +/// Compress_d(x) = ⌈(2ᵈ/q)·x⌋ +/// ``` +/// Since `⌈x⌋ = ⌊x + 1/2⌋` we have: +/// ```plaintext +/// Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋ +/// = ⌊(2^{d+1}·x + q) / 2q⌋ +/// ``` +/// For further information about the function implementations, consult the +/// `implementation_notes.pdf` document in this directory. +/// The NIST FIPS 203 standard can be found at +/// . +val compress_message_coefficient (fe: u16) + : Prims.Pure u8 + (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) + (ensures + fun result -> + let result:u8 = result in + Hax_lib.implies ((833us <=. fe <: bool) && (fe <=. 2596us <: bool)) + (fun temp_0_ -> + let _:Prims.unit = temp_0_ in + result =. 1uy <: bool) && + Hax_lib.implies (~.((833us <=. fe <: bool) && (fe <=. 2596us <: bool)) <: bool) + (fun temp_0_ -> + let _:Prims.unit = temp_0_ in + result =. 0uy <: bool)) + +val compress + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val decompress_ciphertext_coefficient + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst new file mode 100644 index 000000000..939cc61ee --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst @@ -0,0 +1,2128 @@ +module Libcrux_ml_kem.Vector.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let ntt_multiply_binomials (a0, a1: (i16 & i16)) (b0, b1: (i16 & i16)) (zeta: i16) = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a0 <: i16) <: i32) *! + (cast (b0 <: i16) <: i32) + <: + i32) +! + ((cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ((cast (a1 <: i16) + <: + i32) *! + (cast (b1 <: i16) <: i32) + <: + i32) + <: + i16) + <: + i32) *! + (cast (zeta <: i16) <: i32) + <: + i32) + <: + i32), + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a0 <: i16) <: i32) *! + (cast (b1 <: i16) <: i32) + <: + i32) +! + ((cast (a1 <: i16) <: i32) *! (cast (b0 <: i16) <: i32) <: i32) + <: + i32) + <: + (i16 & i16) + +let inv_ntt_layer_1_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + = + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 0 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 2 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 1 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 3 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 4 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 6 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 5 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) + <: + i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 7 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let inv_ntt_layer_2_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + = + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 0 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 4 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 1 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 5 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 2 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 6 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 3 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 7 <: usize) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let inv_ntt_layer_3_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + = + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 9 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 9 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 9) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 10 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 10 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 11 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 11 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 12 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 12 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 13 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 13 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 13) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 14 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 14 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let a_minus_b:i16 = + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 15 ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 15 ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let ntt_layer_1_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + = + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) + zeta2 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 2 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 0 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) + zeta2 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 3 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 1 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) + zeta3 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 6 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 4 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) + zeta3 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 7 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 5 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let ntt_layer_2_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + = + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] + <: + i16) + zeta0 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 4 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 0 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 5 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 1 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 6 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 2 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) + zeta1 + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 7 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) -! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 3 <: usize) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) +! + t + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 9 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 9) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 10 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 11 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 12 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 13 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 13) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 14 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 15 ] + <: + i16) + zeta + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) -! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) +! t <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let ntt_multiply + (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + = + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + <: + (i16 & i16)) + zeta0 + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) + <: + (i16 & i16)) + (Core.Ops.Arith.Neg.neg zeta0 <: i16) + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) + <: + (i16 & i16)) + zeta1 + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) + <: + (i16 & i16)) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! + sz 0 + <: + usize ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) + <: + (i16 & i16)) + zeta2 + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 0 <: usize) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 1 <: usize) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! + sz 2 + <: + usize ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) + <: + (i16 & i16)) + (Core.Ops.Arith.Neg.neg zeta2 <: i16) + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 2 <: usize) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 3 <: usize) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! + sz 4 + <: + usize ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) + <: + (i16 & i16)) + zeta3 + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 4 <: usize) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 5 <: usize) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let product:(i16 & i16) = + ntt_multiply_binomials ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! + sz 6 + <: + usize ] + <: + i16), + (lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) + <: + (i16 & i16)) + ((rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] <: i16), + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) + <: + (i16 & i16)) + (Core.Ops.Arith.Neg.neg zeta3 <: i16) + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 6 <: usize) + product._1 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + out with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8 +! sz 7 <: usize) + product._2 + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti new file mode 100644 index 000000000..b5bc5783d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti @@ -0,0 +1,70 @@ +module Libcrux_ml_kem.Vector.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +/// Compute the product of two Kyber binomials with respect to the +/// modulus `X² - zeta`. +/// This function almost implements Algorithm 11 of the +/// NIST FIPS 203 standard, which is reproduced below: +/// ```plaintext +/// Input: a₀, a₁, b₀, b₁ ∈ ℤq. +/// Input: γ ∈ ℤq. +/// Output: c₀, c₁ ∈ ℤq. +/// c₀ ← a₀·b₀ + a₁·b₁·γ +/// c₁ ← a₀·b₁ + a₁·b₀ +/// return c₀, c₁ +/// ``` +/// We say "almost" because the coefficients output by this function are in +/// the Montgomery domain (unlike in the specification). +/// The NIST FIPS 203 standard can be found at +/// . +val ntt_multiply_binomials: (i16 & i16) -> (i16 & i16) -> zeta: i16 + -> Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_1_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val inv_ntt_layer_2_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val inv_ntt_layer_3_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_layer_1_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_layer_2_step + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_multiply + (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst new file mode 100644 index 000000000..e410bb130 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst @@ -0,0 +1,46 @@ +module Libcrux_ml_kem.Vector.Portable.Sampling +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let rej_sample (a: t_Slice u8) (result: t_Slice i16) = + let sampled:usize = sz 0 in + let result, sampled:(t_Slice i16 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = (Core.Slice.impl__len #u8 a <: usize) /! sz 3 <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (result, sampled <: (t_Slice i16 & usize)) + (fun temp_0_ i -> + let result, sampled:(t_Slice i16 & usize) = temp_0_ in + let i:usize = i in + let b1:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 0 <: usize ] <: u8) <: i16 in + let b2:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 1 <: usize ] <: u8) <: i16 in + let b3:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 2 <: usize ] <: u8) <: i16 in + let d1:i16 = ((b2 &. 15s <: i16) <>! 4l <: i16) in + let result, sampled:(t_Slice i16 & usize) = + if d1 <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS && sampled <. sz 16 + then + let result:t_Slice i16 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result sampled d1 + in + result, sampled +! sz 1 <: (t_Slice i16 & usize) + else result, sampled <: (t_Slice i16 & usize) + in + if d2 <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS && sampled <. sz 16 + then + let result:t_Slice i16 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result sampled d2 + in + result, sampled +! sz 1 <: (t_Slice i16 & usize) + else result, sampled <: (t_Slice i16 & usize)) + in + let hax_temp_output:usize = sampled in + result, hax_temp_output <: (t_Slice i16 & usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti new file mode 100644 index 000000000..fc5f15276 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti @@ -0,0 +1,7 @@ +module Libcrux_ml_kem.Vector.Portable.Sampling +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +val rej_sample (a: t_Slice u8) (result: t_Slice i16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst new file mode 100644 index 000000000..4b3a87c15 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -0,0 +1,2854 @@ +module Libcrux_ml_kem.Vector.Portable.Serialize +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in + let result:t_Array u8 (sz 2) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + ((result.[ sz 0 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) < + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + ((result.[ sz 1 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <>! 8l + <: + i16) &. + 3s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 2) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) &. 15s + <: + i16) + <: + u8) <>! 6l + <: + i16) &. + 15s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 3) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) &. 3s + <: + i16) + <: + u8) <>! 4l + <: + i16) &. + 63s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 4) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) >>! 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 5) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) &. 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 6) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) &. 63s + <: + i16) + <: + u8) <>! 8l + <: + i16) &. + 3s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 7) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) &. 15s + <: + i16) + <: + u8) <>! 6l + <: + i16) &. + 15s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 8) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) &. 3s + <: + i16) + <: + u8) <>! 4l + <: + i16) &. + 63s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 9) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) >>! 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 10) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 11) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] + <: + i16) &. + 63s + <: + i16) + <: + u8) <>! + 8l + <: + i16) &. + 3s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 12) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) &. + 15s + <: + i16) + <: + u8) <>! + 6l + <: + i16) &. + 15s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 13) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) &. + 3s + <: + i16) + <: + u8) <>! + 4l + <: + i16) &. + 63s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 14) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) >>! + 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 15) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 16) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) &. + 63s + <: + i16) + <: + u8) <>! + 8l + <: + i16) &. + 3s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 17) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) &. + 15s + <: + i16) + <: + u8) <>! + 6l + <: + i16) &. + 15s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 18) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) &. + 3s + <: + i16) + <: + u8) <>! + 4l + <: + i16) &. + 63s + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 20) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 19) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) >>! + 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + result + +let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 22) = Rust_primitives.Hax.repeat 0uy (sz 22) in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) &. 31s + <: + i16) + <: + u8) <>! 8l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 2) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) &. 3s + <: + i16) + <: + u8) <>! 5l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 3) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) >>! 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 4) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) &. 127s + <: + i16) + <: + u8) <>! 10l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 5) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) &. 15s + <: + i16) + <: + u8) <>! 7l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 6) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) &. 1s + <: + i16) + <: + u8) <>! 4l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 7) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) >>! 1l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 8) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) &. 63s + <: + i16) + <: + u8) <>! 9l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 9) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) &. 7s + <: + i16) + <: + u8) <>! 6l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 10) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) >>! 3l <: i16 + ) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 11) + (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 12) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] + <: + i16) &. + 31s + <: + i16) + <: + u8) <>! + 8l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 13) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) &. + 3s + <: + i16) + <: + u8) <>! + 5l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 14) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) >>! + 2l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 15) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) &. + 127s + <: + i16) + <: + u8) <>! + 10l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 16) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) &. + 15s + <: + i16) + <: + u8) <>! + 7l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 17) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) &. + 1s + <: + i16) + <: + u8) <>! + 4l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 18) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) >>! + 1l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 19) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) &. + 63s + <: + i16) + <: + u8) <>! + 9l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 20) + (((cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) &. + 7s + <: + i16) + <: + u8) <>! + 6l + <: + i16) + <: + u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 21) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) >>! + 3l + <: + i16) + <: + u8) + in + result + +let serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) &. 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) >>! 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) &. 15s + <: + i16) <>! 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 3) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) &. 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 4) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) >>! 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) &. 15s + <: + i16) <>! 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 6) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) &. 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 7) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) >>! 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) &. 15s + <: + i16) <>! 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 9) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) &. 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 10) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) >>! 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) &. 15s + <: + i16) <>! 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 12) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 13) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 0 <: usize ] + <: + i16) >>! + 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] + <: + i16) &. + 15s + <: + i16) <>! + 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 15) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 16) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 2 <: usize ] + <: + i16) >>! + 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 3 <: usize ] + <: + i16) &. + 15s + <: + i16) <>! + 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 18) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 19) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) >>! + 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 5 <: usize ] + <: + i16) &. + 15s + <: + i16) <>! + 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 21) + (cast ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 22) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) >>! + 8l + <: + i16) |. + (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) &. + 15s + <: + i16) <>! + 4l + <: + i16) &. + 255s + <: + i16) + <: + u8) + in + result + +let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 8) = Rust_primitives.Hax.repeat 0uy (sz 8) in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + (((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) <: u8) <>! 3l <: i16 + ) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 2) + (cast ((((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) &. 15s + <: + i16) <>! 1l <: i16 + ) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 3) + (cast (((((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) &. 3s + <: + i16) <>! 4l <: i16 + ) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 4) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) <>! 2l <: i16 + ) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 5) + (cast ((((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 1 <: usize ] + <: + i16) &. + 7s + <: + i16) <>! + 3l + <: + i16) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 7) + (cast ((((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 4 <: usize ] + <: + i16) &. + 15s + <: + i16) <>! + 1l + <: + i16) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 8) + (cast (((((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 6 <: usize ] + <: + i16) &. + 3s + <: + i16) <>! + 4l + <: + i16) + <: + i16) + <: + u8) + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 9) + (cast (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 +! sz 7 <: usize ] + <: + i16) <>! + 2l + <: + i16) + <: + i16) + <: + u8) + in + result + +let deserialize_1_ (v: t_Slice u8) = + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 0 ] <: u8) >>! i <: u8) &. 1uy <: u8) <: i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 1 ] <: u8) >>! (i -! sz 8 <: usize) <: u8) &. 1uy <: u8) <: i16) + <: + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + result + +let deserialize_10_ (bytes: t_Slice u8) = + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + ((((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + (((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + ((((cast (bytes.[ sz 10 +! sz 1 <: usize ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + ((((cast (bytes.[ sz 10 +! sz 3 <: usize ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + (((cast (bytes.[ sz 10 +! sz 4 <: usize ] <: u8) <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + ((((cast (bytes.[ sz 10 +! sz 6 <: usize ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + ((((cast (bytes.[ sz 10 +! sz 8 <: usize ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + (((cast (bytes.[ sz 10 +! sz 9 <: usize ] <: u8) <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + result + +let deserialize_11_ (bytes: t_Slice u8) = + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + ((((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + (((((cast (bytes.[ sz 4 ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + ((((cast (bytes.[ sz 5 ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + ((((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + (((((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 3s <: i16) <>! 7l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + ((((cast (bytes.[ sz 9 ] <: u8) <: i16) &. 31s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (((cast (bytes.[ sz 10 ] <: u8) <: i16) <>! 5l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + ((((cast (bytes.[ sz 11 +! sz 1 <: usize ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + (((((cast (bytes.[ sz 11 +! sz 4 <: usize ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + ((((cast (bytes.[ sz 11 +! sz 5 <: usize ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + ((((cast (bytes.[ sz 11 +! sz 6 <: usize ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 13) + (((((cast (bytes.[ sz 11 +! sz 8 <: usize ] <: u8) <: i16) &. 3s <: i16) <>! 7l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + ((((cast (bytes.[ sz 11 +! sz 9 <: usize ] <: u8) <: i16) &. 31s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + (((cast (bytes.[ sz 11 +! sz 10 <: usize ] <: u8) <: i16) <>! 5l <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + result + +let deserialize_12_ (bytes: t_Slice u8) = + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let byte0:i16 = cast (bytes.[ sz 0 ] <: u8) <: i16 in + let byte1:i16 = cast (bytes.[ sz 1 ] <: u8) <: i16 in + let byte2:i16 = cast (bytes.[ sz 2 ] <: u8) <: i16 in + let byte3:i16 = cast (bytes.[ sz 3 ] <: u8) <: i16 in + let byte4:i16 = cast (bytes.[ sz 4 ] <: u8) <: i16 in + let byte5:i16 = cast (bytes.[ sz 5 ] <: u8) <: i16 in + let byte6:i16 = cast (bytes.[ sz 6 ] <: u8) <: i16 in + let byte7:i16 = cast (bytes.[ sz 7 ] <: u8) <: i16 in + let byte8:i16 = cast (bytes.[ sz 8 ] <: u8) <: i16 in + let byte9:i16 = cast (bytes.[ sz 9 ] <: u8) <: i16 in + let byte10:i16 = cast (bytes.[ sz 10 ] <: u8) <: i16 in + let byte11:i16 = cast (bytes.[ sz 11 ] <: u8) <: i16 in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + (((byte1 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + (((byte4 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + (((byte7 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + (((byte10 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let byte12:i16 = cast (bytes.[ sz 12 ] <: u8) <: i16 in + let byte13:i16 = cast (bytes.[ sz 13 ] <: u8) <: i16 in + let byte14:i16 = cast (bytes.[ sz 14 ] <: u8) <: i16 in + let byte15:i16 = cast (bytes.[ sz 15 ] <: u8) <: i16 in + let byte16:i16 = cast (bytes.[ sz 16 ] <: u8) <: i16 in + let byte17:i16 = cast (bytes.[ sz 17 ] <: u8) <: i16 in + let byte18:i16 = cast (bytes.[ sz 18 ] <: u8) <: i16 in + let byte19:i16 = cast (bytes.[ sz 19 ] <: u8) <: i16 in + let byte20:i16 = cast (bytes.[ sz 20 ] <: u8) <: i16 in + let byte21:i16 = cast (bytes.[ sz 21 ] <: u8) <: i16 in + let byte22:i16 = cast (bytes.[ sz 22 ] <: u8) <: i16 in + let byte23:i16 = cast (bytes.[ sz 23 ] <: u8) <: i16 in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + (((byte13 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + (((byte16 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + (((byte19 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + re with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + (((byte22 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + re + +let deserialize_4_ (bytes: t_Slice u8) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + (cast ((bytes.[ sz 0 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + (cast (((bytes.[ sz 0 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + (cast ((bytes.[ sz 1 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + (cast (((bytes.[ sz 1 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + (cast ((bytes.[ sz 2 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + (cast (((bytes.[ sz 2 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + (cast ((bytes.[ sz 3 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (cast (((bytes.[ sz 3 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + (cast ((bytes.[ sz 4 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 9) + (cast (((bytes.[ sz 4 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + (cast ((bytes.[ sz 5 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + (cast (((bytes.[ sz 5 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + (cast ((bytes.[ sz 6 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 13) + (cast (((bytes.[ sz 6 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + (cast ((bytes.[ sz 7 ] <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + (cast (((bytes.[ sz 7 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v + +let deserialize_5_ (bytes: t_Slice u8) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Portable.Vector_type.zero () + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 0) + (cast ((bytes.[ sz 0 ] <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 1) + (cast ((((bytes.[ sz 1 ] <: u8) &. 3uy <: u8) <>! 5l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 2) + (cast (((bytes.[ sz 1 ] <: u8) >>! 2l <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 3) + (cast ((((bytes.[ sz 2 ] <: u8) &. 15uy <: u8) <>! 7l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 4) + (cast ((((bytes.[ sz 3 ] <: u8) &. 1uy <: u8) <>! 4l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 5) + (cast (((bytes.[ sz 3 ] <: u8) >>! 1l <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 6) + (cast ((((bytes.[ sz 4 ] <: u8) &. 7uy <: u8) <>! 6l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 7) + (cast ((bytes.[ sz 4 ] <: u8) >>! 3l <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 8) + (cast ((bytes.[ sz 5 +! sz 0 <: usize ] <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 9) + (cast ((((bytes.[ sz 5 +! sz 1 <: usize ] <: u8) &. 3uy <: u8) <>! 5l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 10) + (cast (((bytes.[ sz 5 +! sz 1 <: usize ] <: u8) >>! 2l <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 11) + (cast ((((bytes.[ sz 5 +! sz 2 <: usize ] <: u8) &. 15uy <: u8) <>! 7l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 12) + (cast ((((bytes.[ sz 5 +! sz 3 <: usize ] <: u8) &. 1uy <: u8) <>! 4l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 13) + (cast (((bytes.[ sz 5 +! sz 3 <: usize ] <: u8) >>! 1l <: u8) &. 31uy <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 14) + (cast ((((bytes.[ sz 5 +! sz 4 <: usize ] <: u8) &. 7uy <: u8) <>! 6l <: u8) + <: + u8) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + (sz 15) + (cast ((bytes.[ sz 5 +! sz 4 <: usize ] <: u8) >>! 3l <: u8) <: i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + v diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti new file mode 100644 index 000000000..06e438e75 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti @@ -0,0 +1,52 @@ +module Libcrux_ml_kem.Vector.Portable.Serialize +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_1_ (v: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_10_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_12_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_4_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst new file mode 100644 index 000000000..841249cdd --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst @@ -0,0 +1,26 @@ +module Libcrux_ml_kem.Vector.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let from_i16_array (array: t_Slice i16) = + { + f_elements + = + Core.Result.impl__unwrap #(t_Array i16 (sz 16)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i16) + #(t_Array i16 (sz 16)) + (array.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + <: + Core.Result.t_Result (t_Array i16 (sz 16)) Core.Array.t_TryFromSliceError) + } + <: + t_PortableVector + +let zero (_: Prims.unit) = + { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti new file mode 100644 index 000000000..d3ed2036b --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti @@ -0,0 +1,11 @@ +module Libcrux_ml_kem.Vector.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +type t_PortableVector = { f_elements:t_Array i16 (sz 16) } + +val from_i16_array (array: t_Slice i16) + : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) + +val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 931341051..022d20fd4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -3,4 +3,535 @@ module Libcrux_ml_kem.Vector.Portable open Core open FStar.Mul -type t_PortableVector = { f_elements:t_Array i16 (sz 16) } +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations +#Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); + f_from_i16_array_post + = + (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + true); + f_from_i16_array + = + (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array); + f_add_pre + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.add lhs rhs); + f_sub_pre + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_sub_post + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_sub + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs); + f_multiply_by_constant_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); + f_multiply_by_constant_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_multiply_by_constant + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant v c); + f_bitwise_and_with_constant_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); + f_bitwise_and_with_constant_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_bitwise_and_with_constant + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c); + f_shift_right_pre + = + (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_shift_right_post + = + (fun + (v_SHIFT_BY: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_shift_right + = + (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v); + f_cond_subtract_3329_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_cond_subtract_3329_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_cond_subtract_3329_ + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v); + f_barrett_reduce_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_barrett_reduce_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_barrett_reduce + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v); + f_montgomery_multiply_by_constant_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> true); + f_montgomery_multiply_by_constant_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (r: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_montgomery_multiply_by_constant + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); + f_compress_1_pre + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_compress_1_post + = + (fun + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_compress_1_ + = + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); + f_compress_pre + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_compress_post + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_compress + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); + f_decompress_ciphertext_coefficient_pre + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_decompress_ciphertext_coefficient_post + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_decompress_ciphertext_coefficient + = + (fun + (v_COEFFICIENT_BITS: i32) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + Libcrux_ml_kem.Vector.Portable.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS + v); + f_ntt_layer_1_step_pre + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + true); + f_ntt_layer_1_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_ntt_layer_1_step + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3); + f_ntt_layer_2_step_pre + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + -> + true); + f_ntt_layer_2_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_ntt_layer_2_step + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + -> + Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1); + f_ntt_layer_3_step_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); + f_ntt_layer_3_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_ntt_layer_3_step + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> + Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_3_step a zeta); + f_inv_ntt_layer_1_step_pre + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + true); + f_inv_ntt_layer_1_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_inv_ntt_layer_1_step + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3); + f_inv_ntt_layer_2_step_pre + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + -> + true); + f_inv_ntt_layer_2_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_inv_ntt_layer_2_step + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + -> + Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1); + f_inv_ntt_layer_3_step_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); + f_inv_ntt_layer_3_step_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_inv_ntt_layer_3_step + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> + Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_3_step a zeta); + f_ntt_multiply_pre + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + true); + f_ntt_multiply_post + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + -> + true); + f_ntt_multiply + = + (fun + (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3); + f_serialize_1_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_1_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 2)) + -> + true); + f_serialize_1_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a); + f_deserialize_1_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_1_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_1_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); + f_serialize_4_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_4_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 8)) + -> + true); + f_serialize_4_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a); + f_deserialize_4_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_4_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_4_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); + f_serialize_5_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_5_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 10)) + -> + true); + f_serialize_5_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a); + f_deserialize_5_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_5_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_5_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a); + f_serialize_10_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_10_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 20)) + -> + true); + f_serialize_10_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a); + f_deserialize_10_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_10_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_10_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); + f_serialize_11_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_11_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 22)) + -> + true); + f_serialize_11_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a); + f_deserialize_11_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_11_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_11_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a); + f_serialize_12_pre + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_serialize_12_post + = + (fun + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: t_Array u8 (sz 24)) + -> + true); + f_serialize_12_ + = + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a); + f_deserialize_12_pre = (fun (a: t_Slice u8) -> true); + f_deserialize_12_post + = + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_12_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); + f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true); + f_rej_sample_post + = + (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true); + f_rej_sample + = + fun (a: t_Slice u8) (out: t_Slice i16) -> + let tmp0, out1:(t_Slice i16 & usize) = + Libcrux_ml_kem.Vector.Portable.Sampling.rej_sample a out + in + let out:t_Slice i16 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i16 & usize) + } diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 65cc46b1b..c3127b52b 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -8,6 +8,8 @@ use crate::hax_utils::hax_debug_assert; // time. // Examine the output that LLVM produces for this code from time to time to ensure // operations are not being optimized away/constant-timedness is not being broken. +// +// XXX: We have to disable this for C extraction for now. See eurydice/issues#37 /// Return 1 if `value` is not zero and 0 otherwise. #[cfg_attr(hax, hax_lib::ensures(|result| @@ -22,6 +24,10 @@ fn inz(value: u8) -> u8 { #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. fn is_non_zero(value: u8) -> u8 { + #[cfg(eurydice)] + return inz(value); + + #[cfg(not(eurydice))] core::hint::black_box(inz(value)) } @@ -31,13 +37,12 @@ fn is_non_zero(value: u8) -> u8 { hax_lib::implies(lhs == rhs, || result == 0) && hax_lib::implies(lhs != rhs, || result == 1) ))] -fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { +fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { hax_debug_assert!(lhs.len() == rhs.len()); - hax_debug_assert!(lhs.len() == CIPHERTEXT_SIZE); let mut r: u8 = 0; - for i in 0..SIZE { - r |= r (lhs[i] ^ rhs[i]); + for i in 0..lhs.len() { + r |= lhs[i] ^ rhs[i]; } is_non_zero(r) @@ -64,11 +69,12 @@ pub(crate) fn select(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -pub(crate) fn compare_ciphertexts_in_constant_time( - lhs: &[u8], - rhs: &[u8], -) -> u8 { - core::hint::black_box(compare::(lhs, rhs)) +pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 { + #[cfg(eurydice)] + return compare(lhs, rhs); + + #[cfg(not(eurydice))] + core::hint::black_box(compare(lhs, rhs)) } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. @@ -77,5 +83,9 @@ pub(crate) fn select_shared_secret_in_constant_time( rhs: &[u8], selector: u8, ) -> [u8; SHARED_SECRET_SIZE] { + #[cfg(eurydice)] + return select(lhs, rhs, selector); + + #[cfg(not(eurydice))] core::hint::black_box(select(lhs, rhs, selector)) } diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index f5d5883dc..3a08c3a3e 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -233,10 +233,7 @@ pub(crate) fn decapsulate< Hasher, >(ind_cpa_public_key, decrypted, pseudorandomness); - let selector = compare_ciphertexts_in_constant_time::( - ciphertext.as_ref(), - &expected_ciphertext, - ); + let selector = compare_ciphertexts_in_constant_time(ciphertext.as_ref(), &expected_ciphertext); let implicit_rejection_shared_secret = Scheme::kdf::(&implicit_rejection_shared_secret, ciphertext); From e565afe44031c6ddf14701f7b3810c4b082f3808 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 2 Jul 2024 10:21:16 +0200 Subject: [PATCH 5/5] don't use as function name This conflicts with a function in the C stdlib --- libcrux-ml-kem/c/libcrux_core.c | 6 +++--- libcrux-ml-kem/src/constant_time_ops.rs | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index d62ab9469..defec836b 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -39,8 +39,8 @@ uint8_t libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( return compare(lhs, rhs); } -static void select(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { +static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, + uint8_t ret[32U]) { uint8_t mask = core_num__u8_6__wrapping_sub(is_non_zero(selector), 1U); uint8_t out[32U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; @@ -60,7 +60,7 @@ void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, uint8_t ret[32U]) { uint8_t ret0[32U]; - select(lhs, rhs, selector, ret0); + select_ct(lhs, rhs, selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index c3127b52b..e1cc0ea73 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -54,7 +54,7 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { hax_lib::implies(selector == 0, || result == lhs) && hax_lib::implies(selector != 0, || result == rhs) ))] -pub(crate) fn select(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { +fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { hax_debug_assert!(lhs.len() == rhs.len()); hax_debug_assert!(lhs.len() == SHARED_SECRET_SIZE); @@ -84,8 +84,8 @@ pub(crate) fn select_shared_secret_in_constant_time( selector: u8, ) -> [u8; SHARED_SECRET_SIZE] { #[cfg(eurydice)] - return select(lhs, rhs, selector); + return select_ct(lhs, rhs, selector); #[cfg(not(eurydice))] - core::hint::black_box(select(lhs, rhs, selector)) + core::hint::black_box(select_ct(lhs, rhs, selector)) }