diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 19bf6bae1..c1b251529 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -4,7 +4,7 @@ open Core open FStar.Mul /// Portable SHAKE 128 state -type t_Shake128 = | Shake128 : t_Shake128 +val t_Shake128:Type0 /// Portable SHAKE 128 x4 state. /// We\'re using a portable implementation so this is actually sequential. @@ -21,9 +21,6 @@ val t_Shake256Absorb:Type0 val t_Shake256Squeeze:Type0 -val init_absorb__init_absorb (input: t_Slice u8) - : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) - val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index a9b24b26a..97db532b4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -11,13 +11,22 @@ val t_Shake128x4:Type0 /// AVX2 SHAKE 256 x4 state. val t_Shake256x4:Type0 +/// AVX2 SHAKE 256 state +val t_Shake256:Type0 + /// Init the state and absorb 4 blocks in parallel. val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + val shake256_x4 (v_OUT_LEN: usize) (input0 input1 input2 input3: t_Slice u8) @@ -27,6 +36,9 @@ val shake256_x4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & @@ -143,6 +155,58 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let hax_temp_output, out:(Prims.unit & t_Array u8 v_OUTPUT_LENGTH) = + (), shake256 v_OUTPUT_LENGTH input out <: (Prims.unit & t_Array u8 v_OUTPUT_LENGTH) + in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & @@ -151,7 +215,7 @@ val squeeze_next_block_x4 (state: t_Shake256x4) (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { f_init_absorb_x4_pre = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst new file mode 100644 index 000000000..db410963c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -0,0 +1,97 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti new file mode 100644 index 000000000..f5492bbb9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index 7aab62832..42e4c6671 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -3,28 +3,18 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness let sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) @@ -35,11 +25,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness @@ -53,11 +40,8 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness @@ -72,11 +56,9 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature let verify_pre_hashed_shake128 @@ -89,10 +71,8 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index c244ca0d5..3763fcb0a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -3,18 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - /// Generate key pair. val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 878dd2cb5..95d331653 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -543,11 +543,7 @@ let sign <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -608,11 +604,7 @@ let sign_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -806,11 +798,7 @@ let verify <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -859,11 +847,7 @@ let verify_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index b36669c58..f0e0c4d22 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -9,6 +9,1889 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + 1976782l + (-846154l) + 1400424l + 3937738l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + (-1362209l) + (-48306l) + 3919660l + (-554416l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-3545687l) + 1612842l + (-976891l) + 183443l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + (-2286327l) + (-420899l) + (-2235985l) + (-2939036l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + (-3833893l) + (-260646l) + (-1104333l) + (-1667432l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + 1910376l + (-1803090l) + 1723600l + (-426683l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + 472078l + 1717735l + (-975884l) + 2213111l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + 269760l + 3866901l + 3523897l + (-3038916l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + (-1799107l) + (-3694233l) + 1652634l + 810149l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + 3014001l + 1616392l + 162844l + (-3183426l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-1207385l) + 185531l + 3369112l + 1957272l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + (-164721l) + 2454455l + 2432395l + (-2013608l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + (-3776993l) + 594136l + (-3724270l) + (-2584293l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + (-1846953l) + (-1671176l) + (-2831860l) + (-542412l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + 3406031l + 2235880l + 777191l + 1500165l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + (-1374803l) + (-2546312l) + 1917081l + (-1279661l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-1962642l) + 3306115l + 1312455l + (-451100l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + (-1430225l) + (-3318210l) + 1237275l + (-1333058l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-1050970l) + 1903435l + 1869119l + (-2994039l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + (-3548272l) + 2635921l + 1250494l + (-3767016l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + 1595974l + 2486353l + 1247620l + 4055324l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + 1265009l + (-2590150l) + 2691481l + 2842341l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + 203044l + 1735879l + (-3342277l) + 3437287l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + 4108315l + (-2437823l) + 286988l + 342297l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + (-3595838l) + (-768622l) + (-525098l) + (-3556995l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + 3207046l + 2031748l + (-3122442l) + (-655327l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-522500l) + (-43260l) + (-1613174l) + 495491l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + 819034l + 909542l + 1859098l + 900702l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + (-3193378l) + (-1197226l) + (-3759364l) + (-3520352l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3513181l + (-1235728l) + 2434439l + 266997l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + (-3562462l) + (-2446433l) + 2244091l + (-3342478l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + 3817976l + 2316500l + 3407706l + 2091667l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + 3839961l + (-3628969l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + (-3881060l) + (-3019102l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-1439742l) + (-812732l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + (-1584928l) + 1285669l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + 1341330l + 1315589l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + (-177440l) + (-2409325l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + (-1851402l) + 3159746l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + (-3553272l) + 189548l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + (-1316856l) + 759969l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + (-210977l) + 2389356l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-3249728l) + 1653064l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + (-8578l) + (-3724342l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + 3958618l + 904516l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + (-1100098l) + 44288l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + 3097992l + 508951l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + 264944l + (-3343383l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-1430430l) + 1852771l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + 1349076l + (-381987l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-1308169l) + (-22981l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + (-1228525l) + (-671102l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + (-2477047l) + (-411027l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + (-3693493l) + (-2967645l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + 2715295l + 2147896l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + (-983419l) + 3412210l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + 126922l + (-3632928l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + (-3157330l) + (-3190144l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-1000202l) + (-4083598l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + 1939314l + (-1257611l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + (-1585221l) + 2176455l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3475950l + (-1452451l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + (-3041255l) + (-3677745l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + (-1528703l) + (-3930395l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + (-2797779l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + 2071892l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-2556880l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + 3900724l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + 3881043l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + 954230l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + 531354l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + 811944l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + 3699596l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + (-1600420l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-2140649l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + 3507263l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + (-3821735l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + 3505694l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + (-1643818l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + (-1699267l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-539299l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + 2348700l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-300467l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + 3539968l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + (-2867647l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + 3574422l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + (-3043716l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + (-3861115l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + 3915439l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + (-2537516l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-3592148l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + (-1661693l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + 3530437l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3077325l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + 95776l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + 2706023l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + let ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -26,30 +1909,32 @@ let ntt <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit -let invert_ntt_at_layer_1_ +let outer_3_plus (#v_SIMDUnit: Type0) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! sz 1 in - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let a_minus_b:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in - let round:usize = round in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -57,48 +1942,19 @@ let invert_ntt_at_layer_1_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] + <: + v_SIMDUnit) <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in - let zeta_i:usize = zeta_i -! sz 2 in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - in - let zeta_i:usize = zeta_i +! sz 1 in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - -let invert_ntt_at_layer_2_ - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -106,169 +1962,156 @@ let invert_ntt_at_layer_2_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit a_minus_b v_ZETA <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + re) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + re -let invert_ntt_at_layer_3_plus +let invert_ntt_at_layer_3_ (#v_SIMDUnit: Type0) - (v_LAYER: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in - let j:usize = j in - let a_minus_b:v_SIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] - <: - v_SIMDUnit) - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - j - (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] - <: - v_SIMDUnit) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit - a_minus_b - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - re) - in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 1) 280005l re in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 2) (sz 1) 4010497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 1) (-19422l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 6) (sz 1) 1757237l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 1) (-3277672l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 10) (sz 1) (-1399561l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 1) (-3859737l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 14) (sz 1) (-2118186l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 1) (-2108549l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 18) (sz 1) 2619752l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 1) (-1119584l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 22) (sz 1) (-549488l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 1) 3585928l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 26) (sz 1) (-1079900l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 1) 1024112l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 30) (sz 1) 2725464l re + in + re -let invert_ntt_at_layer_0_ +let invert_ntt_at_layer_4_ (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! sz 1 in - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let zeta_i:usize = zeta_i -! sz 4 in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 2) 2680103l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 2) 3111497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 2) (-2884855l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 2) 3119733l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 2) (-2091905l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 2) (-359251l) re in - let zeta_i:usize = zeta_i +! sz 1 in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 2) 2353451l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 2) 1826347l re + in + re + +let invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 4) 466468l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 4) (-876248l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 4) (-777960l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 4) 237124l re + in + re + +let invert_ntt_at_layer_6_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 8) (-518909l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 8) (-2608894l) re + in + re + +let invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 16) 25847l re + in + re let invert_ntt_montgomery (#v_SIMDUnit: Type0) @@ -277,55 +2120,30 @@ let invert_ntt_montgomery Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_0_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_1_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_2_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_3_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_4_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_5_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_6_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_7_ #v_SIMDUnit re + in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti index d15c500f9..ed4cbfb4e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -9,47 +9,27 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = - let list = - [ - 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; - 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; - 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); - (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; - 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); - (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); - (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; - 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); - (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); - (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); - 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); - (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; - (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; - (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); - 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; - 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); - 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); - (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); - (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); - (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); - 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; - 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; - 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; - (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; - (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); - (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); - 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; - 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; - 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); - 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); - (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; - (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list +let invert_ntt_at_layer_3___STEP: usize = sz 8 -val ntt +let invert_ntt_at_layer_3___STEP_BY: usize = sz 1 + +let invert_ntt_at_layer_4___STEP: usize = sz 16 + +let invert_ntt_at_layer_4___STEP_BY: usize = sz 2 + +let invert_ntt_at_layer_5___STEP: usize = sz 32 + +let invert_ntt_at_layer_5___STEP_BY: usize = sz 4 + +let invert_ntt_at_layer_6___STEP: usize = sz 64 + +let invert_ntt_at_layer_6___STEP_BY: usize = sz 8 + +let invert_ntt_at_layer_7___STEP: usize = sz 128 + +let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 + +val invert_ntt_at_layer_0_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -60,37 +40,74 @@ val ntt val invert_ntt_at_layer_1_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_3_plus +val outer_3_plus (#v_SIMDUnit: Type0) - (v_LAYER: usize) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_0_ +val invert_ntt_at_layer_3_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_6_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 0e6daf656..fb55f5f13 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -121,225 +121,2854 @@ let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products -let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in +let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2091667l 3407706l 2316500l + 3817976l (-3342478l) 2244091l (-2446433l) (-3562462l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 266997l 2434439l + (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) 900702l 1859098l 909542l + 819034l 495491l (-1613174l) (-43260l) (-522500l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-655327l) (-3122442l) + 2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) 342297l 286988l + (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 2842341l 2691481l + (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) (-3767016l) 1250494l + 2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) (-1333058l) 1237275l + (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1279661l) 1917081l + (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) (-542412l) (-2831860l) + (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) (-2013608l) 2432395l + 2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-3183426l) 162844l + 1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) (-3038916l) 3523897l + 3866901l 269760l 2213111l (-975884l) 1717735l 472078l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) (-426683l) 1723600l + (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) (-2939036l) (-2235985l) + (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) (-554416l) 3919660l + (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 0 ] <: u8) + (re.[ sz 0 +! sz 1 <: usize ] <: u8) + (-3930395l) + (-1528703l) + (-3677745l) + (-3041255l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 2 ] <: u8) + (re.[ sz 2 +! sz 1 <: usize ] <: u8) + (-1452451l) + 3475950l + 2176455l + (-1585221l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 4 ] <: u8) + (re.[ sz 4 +! sz 1 <: usize ] <: u8) + (-1257611l) + 1939314l + (-4083598l) + (-1000202l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 6 ] <: u8) + (re.[ sz 6 +! sz 1 <: usize ] <: u8) + (-3190144l) + (-3157330l) + (-3632928l) + 126922l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 8 ] <: u8) + (re.[ sz 8 +! sz 1 <: usize ] <: u8) + 3412210l + (-983419l) + 2147896l + 2715295l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 10 ] <: u8) + (re.[ sz 10 +! sz 1 <: usize ] <: u8) + (-2967645l) + (-3693493l) + (-411027l) + (-2477047l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 12 ] <: u8) + (re.[ sz 12 +! sz 1 <: usize ] <: u8) + (-671102l) + (-1228525l) + (-22981l) + (-1308169l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 14 ] <: u8) + (re.[ sz 14 +! sz 1 <: usize ] <: u8) + (-381987l) + 1349076l + 1852771l + (-1430430l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 16 ] <: u8) + (re.[ sz 16 +! sz 1 <: usize ] <: u8) + (-3343383l) + 264944l + 508951l + 3097992l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 18 ] <: u8) + (re.[ sz 18 +! sz 1 <: usize ] <: u8) + 44288l + (-1100098l) + 904516l + 3958618l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 20 ] <: u8) + (re.[ sz 20 +! sz 1 <: usize ] <: u8) + (-3724342l) + (-8578l) + 1653064l + (-3249728l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 22 ] <: u8) + (re.[ sz 22 +! sz 1 <: usize ] <: u8) + 2389356l + (-210977l) + 759969l + (-1316856l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 24 ] <: u8) + (re.[ sz 24 +! sz 1 <: usize ] <: u8) + 189548l + (-3553272l) + 3159746l + (-1851402l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 26 ] <: u8) + (re.[ sz 26 +! sz 1 <: usize ] <: u8) + (-2409325l) + (-177440l) + 1315589l + 1341330l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 28 ] <: u8) + (re.[ sz 28 +! sz 1 <: usize ] <: u8) + 1285669l + (-1584928l) + (-812732l) + (-1439742l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 30 ] <: u8) + (re.[ sz 30 +! sz 1 <: usize ] <: u8) + (-3019102l) + (-3881060l) + (-3628969l) + 3839961l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2706023l 95776l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 3077325l 3530437l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) (-1661693l) (-3592148l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-2537516l) 3915439l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) (-3861115l) (-3043716l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 3574422l (-2867647l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) 3539968l (-300467l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) 2348700l (-539299l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1699267l) (-1643818l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) 3505694l (-3821735l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) 3507263l (-2140649l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-1600420l) 3699596l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) 811944l 531354l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) 954230l 3881043l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) 3900724l (-2556880l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) 2071892l (-2797779l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in + let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in + let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + re + +let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 237124l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-777960l) in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-876248l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 466468l in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let _:Prims.unit = () in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1826347l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2353451l in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! - step_by - <: - usize ] - <: - u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-359251l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2091905l) in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ round ] <: u8) (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3119733l in + let offset:usize = + ((sz 4 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2884855l) in + let offset:usize = + ((sz 5 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 4 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3111497l in + let offset:usize = + ((sz 6 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 5 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2680103l in + let offset:usize = + ((sz 7 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 6 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let _:Prims.unit = () in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2725464l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 7 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1024112l in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 8 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1079900l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ round ] <: u8) - (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3585928l in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-549488l) in + let offset:usize = + ((sz 4 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1119584l) in + let offset:usize = + ((sz 5 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2619752l in + let offset:usize = + ((sz 6 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2108549l) in + let offset:usize = + ((sz 7 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2118186l) in + let offset:usize = + ((sz 8 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3859737l) in + let offset:usize = + ((sz 9 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1399561l) in + let offset:usize = + ((sz 10 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3277672l) in + let offset:usize = + ((sz 11 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1757237l in + let offset:usize = + ((sz 12 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-19422l) in + let offset:usize = + ((sz 13 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 4010497l in + let offset:usize = + ((sz 14 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 280005l in + let offset:usize = + ((sz 15 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ round ] <: u8) - (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 1 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in + let _:Prims.unit = () in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array u8 (sz 32)) + re let ntt (re: t_Array u8 (sz 32)) = - let zeta_i:usize = sz 0 in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 7) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 6) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 5) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 4) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 3) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_2_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_1_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_0_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_7_and_6_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_2_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_1_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_0_ re in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index 2b4b65ff5..afa539b9a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -5,6 +5,27 @@ open FStar.Mul let butterfly_2___SHUFFLE: i32 = 216l +let ntt_at_layer_5_to_3___STEP: usize = sz 1 < Prims.l_True) @@ -23,17 +44,26 @@ val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// This is equivalent to the pqclean 0 and 1 +/// This does 32 Montgomery multiplications (192 multiplications). +/// This is the same as in pqclean. The only difference is locality of registers. +val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Layer 5, 4, 3 +/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total +/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) +val ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val ntt (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 47babb998..8cb54365c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -591,6 +591,427 @@ let simd_unit_ntt_at_layer_0_ in simd_unit +let ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_0_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2091667l + 3407706l + 2316500l + 3817976l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_0_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3342478l) + 2244091l + (-2446433l) + (-3562462l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_0_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 266997l + 2434439l + (-1235728l) + 3513181l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_0_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3520352l) + (-3759364l) + (-1197226l) + (-3193378l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_0_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 900702l + 1859098l + 909542l + 819034l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_0_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 495491l + (-1613174l) + (-43260l) + (-522500l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_0_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-655327l) + (-3122442l) + 2031748l + 3207046l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_0_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3556995l) + (-525098l) + (-768622l) + (-3595838l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_0_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 342297l + 286988l + (-2437823l) + 4108315l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_0_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3437287l + (-3342277l) + 1735879l + 203044l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_0_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2842341l + 2691481l + (-2590150l) + 1265009l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_0_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 4055324l + 1247620l + 2486353l + 1595974l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_0_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3767016l) + 1250494l + 2635921l + (-3548272l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_0_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2994039l) + 1869119l + 1903435l + (-1050970l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_0_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1333058l) + 1237275l + (-3318210l) + (-1430225l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_0_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-451100l) + 1312455l + 3306115l + (-1962642l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_0_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1279661l) + 1917081l + (-2546312l) + (-1374803l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_0_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1500165l + 777191l + 2235880l + 3406031l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_0_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-542412l) + (-2831860l) + (-1671176l) + (-1846953l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_0_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2584293l) + (-3724270l) + 594136l + (-3776993l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_0_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2013608l) + 2432395l + 2454455l + (-164721l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_0_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1957272l + 3369112l + 185531l + (-1207385l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_0_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3183426l) + 162844l + 1616392l + 3014001l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_0_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 810149l + 1652634l + (-3694233l) + (-1799107l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_0_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3038916l) + 3523897l + 3866901l + 269760l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_0_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2213111l + (-975884l) + 1717735l + 472078l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_0_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-426683l) + 1723600l + (-1803090l) + 1910376l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_0_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1667432l) + (-1104333l) + (-260646l) + (-3833893l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_0_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2939036l) + (-2235985l) + (-420899l) + (-2286327l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_0_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 183443l + (-976891l) + 1612842l + (-3545687l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_0_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-554416l) + 3919660l + (-48306l) + (-1362209l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_0_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3937738l + 1400424l + (-846154l) + 1976782l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + let simd_unit_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta1 zeta2: i32) @@ -745,6 +1166,363 @@ let simd_unit_ntt_at_layer_1_ in simd_unit +let ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_1_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3930395l) + (-1528703l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_1_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3677745l) + (-3041255l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_1_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1452451l) + 3475950l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_1_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2176455l + (-1585221l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_1_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1257611l) + 1939314l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_1_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-4083598l) + (-1000202l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_1_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3190144l) + (-3157330l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_1_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3632928l) + 126922l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_1_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3412210l + (-983419l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_1_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2147896l + 2715295l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_1_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2967645l) + (-3693493l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_1_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-411027l) + (-2477047l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_1_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-671102l) + (-1228525l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_1_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-22981l) + (-1308169l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_1_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-381987l) + 1349076l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_1_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1852771l + (-1430430l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_1_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3343383l) + 264944l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_1_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 508951l + 3097992l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_1_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 44288l + (-1100098l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_1_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 904516l + 3958618l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_1_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3724342l) + (-8578l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_1_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1653064l + (-3249728l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_1_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2389356l + (-210977l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_1_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 759969l + (-1316856l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_1_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 189548l + (-3553272l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_1_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3159746l + (-1851402l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_1_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2409325l) + (-177440l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_1_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1315589l + 1341330l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_1_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1285669l + (-1584928l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_1_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-812732l) + (-1439742l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_1_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3019102l) + (-3881060l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_1_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3628969l) + 3839961l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + let simd_unit_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) @@ -899,315 +1677,522 @@ let simd_unit_ntt_at_layer_2_ in simd_unit -let ntt_at_layer_0_ - (zeta_i: usize) +let ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_0_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_2_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2706023l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_2_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 95776l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_2_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3077325l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_2_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3530437l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_2_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1661693l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_2_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3592148l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_2_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2537516l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_2_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3915439l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_2_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3861115l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_2_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3043716l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_2_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3574422l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_2_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2867647l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_2_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3539968l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_2_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-300467l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_2_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2348700l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_2_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-539299l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_2_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1699267l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_2_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1643818l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_2_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3505694l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_2_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3821735l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_2_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3507263l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_2_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2140649l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_2_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1600420l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_2_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3699596l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_2_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 811944l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_2_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 531354l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_2_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 954230l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_2_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3881043l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_2_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3900724l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_2_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2556880l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_2_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2071892l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_2_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2797779l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + re -let ntt_at_layer_1_ - (zeta_i: usize) +let outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + v_STEP_BY + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + v_ZETA in - let round:usize = round in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_1_ (re.[ round ] + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) + t <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - let zeta_i:usize = zeta_i +! sz 2 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -let ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_2_ (re.[ round ] + j + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + t <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + re) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + re -let ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) +let ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! - step_by - <: - usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 1) 2725464l re in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 2) (sz 1) 1024112l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 1) (-1079900l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 6) (sz 1) 3585928l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 1) (-549488l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 10) (sz 1) (-1119584l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 1) 2619752l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 14) (sz 1) (-2108549l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 1) (-2118186l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 18) (sz 1) (-3859737l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 1) (-1399561l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 22) (sz 1) (-3277672l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 1) 1757237l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 26) (sz 1) (-19422l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 1) 4010497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 30) (sz 1) 280005l re + in + re + +let ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 2) 1826347l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 2) 2353451l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 2) (-359251l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 2) (-2091905l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 2) 3119733l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 2) (-2884855l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 2) 3111497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 2) 2680103l re + in + re + +let ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 4) 237124l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 4) (-777960l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 4) (-876248l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 4) 466468l re + in + re + +let ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 8) (-2608894l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 8) (-518909l) re + in + re + +let ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 16) 25847l re + in + re let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = sz 0 in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 7) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 6) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 5) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 4) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 3) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_2_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_1_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_0_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0_ re + in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index abb1d13d4..61fd4f830 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -3,6 +3,26 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul +let ntt_at_layer_3___STEP: usize = sz 8 + +let ntt_at_layer_3___STEP_BY: usize = sz 1 + +let ntt_at_layer_4___STEP: usize = sz 16 + +let ntt_at_layer_4___STEP_BY: usize = sz 2 + +let ntt_at_layer_5___STEP: usize = sz 32 + +let ntt_at_layer_5___STEP_BY: usize = sz 4 + +let ntt_at_layer_6___STEP: usize = sz 64 + +let ntt_at_layer_6___STEP_BY: usize = sz 8 + +let ntt_at_layer_7___STEP: usize = sz 128 + +let ntt_at_layer_7___STEP_BY: usize = sz 16 + val invert_ntt_at_layer_0_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) @@ -31,6 +51,12 @@ val simd_unit_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val simd_unit_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta1 zeta2: i32) @@ -38,6 +64,12 @@ val simd_unit_ntt_at_layer_1_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val simd_unit_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) @@ -45,35 +77,47 @@ val simd_unit_ntt_at_layer_2_ Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ - (zeta_i: usize) +val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ - (zeta_i: usize) +val outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ - (zeta_i: usize) +val ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) +val ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index 1ef0cb0e8..543e2b390 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -181,45 +181,5 @@ let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL let v_SIMD_UNITS_IN_RING_ELEMENT: usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = - let list = - [ - 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; - 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; - 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); - (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; - 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); - (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); - (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; - 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); - (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); - (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); - 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); - (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; - (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; - (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); - 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; - 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); - 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); - (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); - (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); - (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); - 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; - 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; - 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; - (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; - (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); - (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); - 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; - 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; - 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); - 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); - (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; - (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list - val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 0b77def1e..968a5585c 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul