diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index c3535185b..5345cad14 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -118,7 +118,7 @@ jobs: - name: 🔨 Build run: | - cmake -B build + LIBCRUX_BENCHMARKS=1 cmake -B build cmake --build build - name: 🏃🏻‍♀️ Test @@ -132,7 +132,7 @@ jobs: - name: 🔨 Build Release run: | rm -rf build - cmake -B build -DCMAKE_BUILD_TYPE=Release + LIBCRUX_BENCHMARKS=1 cmake -B build -DCMAKE_BUILD_TYPE=Release cmake --build build --config Release if: ${{ matrix.os != 'windows-latest' }} @@ -159,13 +159,6 @@ jobs: cmake -B build cmake --build build # FIXME: Benchmark build for cg on Windows CI is not working right now. - if: ${{ matrix.os != 'windows-latest' }} - - # FIXME: Benchmark build for cg on Windows CI are not working right now. - # - name: 🏃🏻‍♀️ Test (cg) - # working-directory: libcrux-ml-kem/cg - # run: ./build/Debug/ml_kem_test - # if: ${{ matrix.os == 'windows-latest' }} - name: 🏃🏻‍♀️ Test run: ./build/ml_kem_test diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml index 39c5c4267..e385b948e 100644 --- a/.github/workflows/hax.yml +++ b/.github/workflows/hax.yml @@ -68,4 +68,13 @@ jobs: - name: 🏃 Extract ML-DSA crate working-directory: libcrux-ml-dsa - run: cargo hax into fstar + run: ./hax.py extract + + - name: 🏃 Lax ML-DSA crate + working-directory: libcrux-ml-dsa + run: | + env FSTAR_HOME=${{ github.workspace }}/fstar \ + HACL_HOME=${{ github.workspace }}/hacl-star \ + HAX_HOME=${{ github.workspace }}/hax \ + PATH="${PATH}:${{ github.workspace }}/fstar/bin" \ + ./hax.py prove --admit diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index 575339c5d..039a850f4 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -87,11 +87,6 @@ jobs: rustc --print=cfg cargo build --verbose $RUST_TARGET_FLAG --features pre-verification - - name: 🔨 Build unpacked - run: | - rustc --print=cfg - cargo build --verbose $RUST_TARGET_FLAG --features pre-verification,unpacked - - name: 🔨 Build Release run: cargo build --verbose --release $RUST_TARGET_FLAG --features pre-verification @@ -173,3 +168,37 @@ jobs: run: | cargo clean cargo hack test --each-feature $EXCLUDE_FEATURES --verbose $RUST_TARGET_FLAG + + fuzz: + strategy: + fail-fast: false + matrix: + os: + - macos-latest # macos-14 m1 + - ubuntu-latest + + runs-on: ${{ matrix.os }} + defaults: + run: + shell: bash + working-directory: libcrux-ml-kem + + steps: + - uses: actions/checkout@v4 + + - name: 🛠️ Setup Rust Nightly + run: | + rustup toolchain install nightly + cargo install cargo-fuzz + + - name: 🛠️ Update dependencies + run: cargo update + + - name: 🏃🏻‍♀️ Decaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run decaps -- -runs=100000 + + - name: 🏃🏻‍♀️ Encaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run encaps -- -runs=100000 + + - name: 🏃🏻‍♀️ KeyGen + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run keygen -- -runs=1000000 diff --git a/.github/workflows/s390x.yml b/.github/workflows/s390x.yml new file mode 100644 index 000000000..e76c37b62 --- /dev/null +++ b/.github/workflows/s390x.yml @@ -0,0 +1,44 @@ +name: s390x - Build & Test + +on: + push: + pull_request: + branches: ["main", "dev"] + workflow_dispatch: + merge_group: + +env: + CARGO_TERM_COLOR: always + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + s390x: + runs-on: ubuntu-latest + name: Build on ubuntu-22.04 s390x + steps: + - uses: actions/checkout@v4 + - uses: uraimo/run-on-arch-action@v2 + name: Run + id: runcmd + with: + arch: s390x + distro: ubuntu22.04 + + # Speed up builds by storing container images in + # a GitHub package registry. + githubToken: ${{ github.token }} + + run: | + apt-get -y update + apt-get install -y curl gcc g++ make cmake ninja-build git + cd libcrux-ml-kem/c + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test + cd ../cg + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test diff --git a/.gitignore b/.gitignore index e1ba64f55..3eb7f0598 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,6 @@ kyber-crate/ # F* .fstar-cache .depend -**/proofs/fstar/*/#*# -**/proofs/fstar/*/.#* +/proofs/fstar/*/#*# +/proofs/fstar/*/.#* hax.fst.config.json diff --git a/Cargo.lock b/Cargo.lock index 4b69f652c..11fe31555 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -29,9 +29,9 @@ checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299" [[package]] name = "anstream" -version = "0.6.17" +version = "0.6.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23a1e53f0f5d86382dafe1cf314783b2044280f406e7e1506368220ad11b1338" +checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b" dependencies = [ "anstyle", "anstyle-parse", @@ -44,9 +44,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8365de52b16c035ff4fcafe0092ba9390540e3e352870ac09933bebcaa2c8c56" +checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" [[package]] name = "anstyle-parse" @@ -78,9 +78,9 @@ dependencies = [ [[package]] name = "arbitrary" -version = "1.3.2" +version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110" +checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223" [[package]] name = "autocfg" @@ -143,7 +143,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", - "syn 2.0.86", + "syn 2.0.87", "which", ] @@ -191,9 +191,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.31" +version = "1.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" +checksum = "baee610e9452a8f6f0a1b6194ec09ff9e2d85dea54432acdae41aa0761c95d70" dependencies = [ "jobserver", "libc", @@ -319,7 +319,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -483,7 +483,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -702,9 +702,19 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#291e34e51a0182c0f1b29f27cbafe3d40490e39a" +source = "git+https://github.com/hacspec/hax/?branch=main#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", + "num-bigint", + "num-traits", +] + +[[package]] +name = "hax-lib" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" dependencies = [ - "hax-lib-macros", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "num-bigint", "num-traits", ] @@ -712,20 +722,45 @@ dependencies = [ [[package]] name = "hax-lib-macros" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#291e34e51a0182c0f1b29f27cbafe3d40490e39a" +source = "git+https://github.com/hacspec/hax/?branch=main#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", + "paste", + "proc-macro-error", + "proc-macro2", + "quote", + "syn 2.0.87", +] + +[[package]] +name = "hax-lib-macros" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" dependencies = [ - "hax-lib-macros-types", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", +] + +[[package]] +name = "hax-lib-macros-types" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/?branch=main#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "proc-macro2", + "quote", + "serde", + "serde_json", + "uuid", ] [[package]] name = "hax-lib-macros-types" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#291e34e51a0182c0f1b29f27cbafe3d40490e39a" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" dependencies = [ "proc-macro2", "quote", @@ -899,6 +934,7 @@ version = "0.0.2-beta.2" dependencies = [ "clap", "getrandom", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", "hex", "libcrux", "libcrux-ecdh", @@ -971,9 +1007,6 @@ dependencies = [ [[package]] name = "libcrux-intrinsics" version = "0.0.2-beta.2" -dependencies = [ - "hax-lib", -] [[package]] name = "libcrux-kem" @@ -992,6 +1025,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1007,7 +1041,7 @@ name = "libcrux-ml-kem" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1017,6 +1051,14 @@ dependencies = [ "serde_json", ] +[[package]] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +dependencies = [ + "libcrux-ml-kem", + "libfuzzer-sys", +] + [[package]] name = "libcrux-platform" version = "0.0.2-beta.2" @@ -1053,7 +1095,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1112,9 +1154,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "minicov" -version = "0.3.6" +version = "0.3.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "def6d99771d7c499c26ad4d40eb6645eafd3a1553b35fc26ea5a489a45e82d9a" +checksum = "f27fe9f1cc3c22e1687f9446c2083c4c5fc7f0bcf1c7a86bdbded14985895b4b" dependencies = [ "cc", "walkdir", @@ -1205,7 +1247,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -1372,7 +1414,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033" dependencies = [ "proc-macro2", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -1569,9 +1611,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.38" +version = "0.38.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa260229e6538e52293eeb577aabd09945a09d6d9cc0fc550ed7529056c2e32a" +checksum = "375116bee2be9ed569afe2154ea6a99dfdffd257f533f187498c2a8f5feaf4ee" dependencies = [ "bitflags", "errno", @@ -1638,7 +1680,7 @@ checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -1737,9 +1779,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.86" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e89275301d38033efb81a6e60e3497e734dfcc62571f2854bf4b16690398824c" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", @@ -1858,7 +1900,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", "wasm-bindgen-shared", ] @@ -1892,7 +1934,7 @@ checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -1926,7 +1968,7 @@ checksum = "c97b2ef2c8d627381e51c071c2ab328eac606d3f69dd82bcbca20a9e389d95f0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -2084,7 +2126,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] [[package]] @@ -2104,5 +2146,5 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.86", + "syn 2.0.87", ] diff --git a/Cargo.toml b/Cargo.toml index bcdb8b03f..625c177a3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ members = [ "benchmarks", "fuzz", "libcrux-ml-kem", + "libcrux-ml-kem/fuzz", "libcrux-sha3", "libcrux-ml-dsa", "libcrux-intrinsics", @@ -74,13 +75,7 @@ log = { version = "0.4", optional = true } # WASM API wasm-bindgen = { version = "0.2.87", optional = true } getrandom = { version = "0.2", features = ["js"], optional = true } - -# When using the hax toolchain, we have more dependencies. -# This is only required when doing proofs. -#[target.'cfg(hax)'.dependencies] -[workspace.dependencies] -hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { git = "https://github.com/hacspec/hax/", branch = "main" } +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/", branch = "main" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/benchmarks/benches/kyber768.rs b/benchmarks/benches/kyber768.rs index 2fec056a9..0341a881e 100644 --- a/benchmarks/benches/kyber768.rs +++ b/benchmarks/benches/kyber768.rs @@ -80,7 +80,7 @@ pub fn comparisons_pk_validation(c: &mut Criterion) { b.iter_batched( || libcrux_kem::deterministic::mlkem768_generate_keypair_derand(seed), |key_pair| { - let _valid = libcrux_kem::ml_kem768_validate_public_key(key_pair.into_parts().1); + let _valid = libcrux_kem::ml_kem768_validate_public_key(&key_pair.into_parts().1); }, BatchSize::SmallInput, ) diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base index b4e0d962b..54c2552b1 100644 --- a/fstar-helpers/Makefile.base +++ b/fstar-helpers/Makefile.base @@ -1,5 +1,5 @@ # Base Makefile for F* in libcrux. -# This inherits from Makefile.generic, and adds the `specs` folder from HACL and the `libcrux-ml-kem/proofs/fstar/spec` folder. +# This inherits from Makefile.generic, and adds the `specs` folder from HACL. VERIFY_SLOW_MODULES ?= no ifeq (${VERIFY_SLOW_MODULES},no) @@ -10,5 +10,5 @@ EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; -FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec +FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic diff --git a/fstar-helpers/README.md b/fstar-helpers/README.md deleted file mode 100644 index 122ed5b03..000000000 --- a/fstar-helpers/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This folder provides F* helpers: - - - `Makefile.generic` is the generic hax Makefile, available here: https://gist.github.com/W95Psp/4c304132a1f85c5af4e4959dd6b356c3. `Makefile.generic` is not supposed to be edited. - - `Makefile.base` is the base file that adds a couple of include folders that are useful generally in the scope of libcrux verification with F*. - - `fstar-bitvec` F* modules related to bitvectors. diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst deleted file mode 100644 index 5e21832c7..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst +++ /dev/null @@ -1,48 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -private let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let rec bv_equality'' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> feq bv1 bv2} - = if n = 0 then true - else let n' = n - 1 in - if bv1 n' = bv2 n' - then - ( - let bv1' = mk_bv (fun i -> bv1 i) in - let bv2' = mk_bv (fun i -> bv2 i) in - if bv_equality'' #n' bv1' bv2' - then ( - assert (forall (x: nat{x < n'}). bv1' x == bv1 x); - assert (forall (x: nat{x < n'}). bv2' x == bv2 x); - true - ) - else false - ) - else false - -let bv_equality' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> bv1 == bv2} - = extensionality _ _ bv1 bv2; - bv_equality'' bv1 bv2 - - -let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2 - -let bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) - = () -let bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) - = () - -let rewrite n (bv1: bit_vec n) - : Lemma (bv_equality #n bv1 bv1 == true) - = () diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti deleted file mode 100644 index 5340903b4..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti +++ /dev/null @@ -1,17 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -val bv_equality #n (bv1 bv2: bit_vec n): bool -val bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) -val bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) -val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true) - - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst deleted file mode 100644 index 9d2614842..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst +++ /dev/null @@ -1,264 +0,0 @@ -module BitVec.Intrinsics.Constants - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality -open BitVec.Utils -open BitVec.Equality - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let offset = i % 16 in - match i / 16 with - | 0 -> get_bit x15 (sz offset) - | 1 -> get_bit x14 (sz offset) - | 2 -> get_bit x13 (sz offset) - | 3 -> get_bit x12 (sz offset) - | 4 -> get_bit x11 (sz offset) - | 5 -> get_bit x10 (sz offset) - | 6 -> get_bit x9 (sz offset) - | 7 -> get_bit x8 (sz offset) - | 8 -> get_bit x7 (sz offset) - | 9 -> get_bit x6 (sz offset) - | 10 -> get_bit x5 (sz offset) - | 11 -> get_bit x4 (sz offset) - | 12 -> get_bit x3 (sz offset) - | 13 -> get_bit x2 (sz offset) - | 14 -> get_bit x1 (sz offset) - | 15 -> get_bit x0 (sz offset) - ) - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 = admit () - -open Tactics.Utils - -open FStar.Tactics - -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. *) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = pack_comp (C_Total (`squash True)) in - unshelve (fresh_uvar (Some (mk_arr bds trivial))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in - (FStar.Reflection.V2.pack_namedv nv, b.binder_sort) - ) bds in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - if List.Tot.length substs <> List.Tot.length bds - then fail "unify_app: inconsistent lengths"; - (* solve the trivial goal introduced at the begining *) - trivial (); - Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - -irreducible let add (x y: int): int = x + y - -let f (a b c d: int): int = add (add (add a b) c) d - -// #push-options "--print_full_names --print_implicits --print_bound_var_types" -let _ = assert true by ( - let r = - unify_app - (quote (f 1 2 3 4)) - (quote f) - [delta_only [`%f]] - in - let s = term_to_string (quote r) - in - print s - ) - -let test x y (#[( - let n = fresh_namedv () in - let y = quote y in - let y' = `(madd_rhs (`#n)) in - let n = FStar.Reflection.V2.pack_namedv n in - let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with - | (Some [v, t'], _) -> - `(stupid (`#t')) - | _ -> `(stupid (`#y)) in - exact t -)]f: bit_vec 256 -> bit_vec 256) = f x - -let xx = fun x -> test x (madd_rhs 12) - -irreducible let vec256_to_i16s (bv: bit_vec 256) - : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - = admit () - -irreducible let rw_vec256_to_i16_ints - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : Lemma ( - vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15) - == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) - ) = admit () - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s <= 1 - && v x0 = v x2 && v x0 = v x4 && v x0 = v x6 && v x0 = v x8 - && v x0 = v x10 && v x0 = v x12 && v x0 = v x14 - && v x1 = 1 && v x3 = 1 && v x5 = 1 && v x7 = 1 - && v x9 = 1 && v x11= 1 && v x13= 1 && v x15= 1 - then match Tactics.Pow2.log2 (v x0 <: nat) with - | Some coef -> - if coef < 16 - then ( - assert (v ((1s < None - else None -#pop-options - -open FStar.Tactics.V2 -[@@FStar.Tactics.V2.postprocess_with (fun _ -> - compute (); - Tactics.Seq.norm_index (); - compute (); - fail "x" -)] -let aa = - let n = 12 in - let tuple = ( - ( (1s < n | None -> 0 in - x - -open Tactics.Utils -open FStar.Tactics.V2 -module Visit = FStar.Tactics.Visit - -let rec any (f: 'a -> bool) (l: list 'a): bool - = match l with - | [] -> false - | hd::tl -> if f hd - then true - else any f tl - -exception FoundFreeLocalVar -let is_closed_term (x: term): Tac bool - = try - let _ = FStar.Tactics.Visit.visit_tm ( - function - | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar - | x -> x - ) x - in true - with | FoundFreeLocalVar -> false - | e -> raise e - -let rw_mm256_set_epi16 t = - let?# (f, [arg,_]) = expect_app_n t 1 in - let?# _ = expect_free_var f (`%vec256_to_i16_ints) in - let?? _ = is_closed_term arg in - let?# (f, args) = expect_app_n arg 16 in - let?# _ = expect_free_var f (`%mm256_set_epi16) in - pointwise' (fun _ -> - let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in - Some (if any (fun (arg, _) -> term_eq lhs arg) args - then norm [primops; iota; delta; zeta_full] - else ()) - in trefl () - ); - Some () - -let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16}) - : result: option (n: nat {n < 16}) { match result with - | Some n -> bv == madd_rhs n - | _ -> True - } - = if bv_equality bv (madd_rhs n) - then ( bv_equality_elim bv (madd_rhs n); - Some n ) - else if n = 0 then None - else expect_madd_rhs' bv (n - 1) - -irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16}) - = expect_madd_rhs' bv 15 - -// let rewrite_expect_madd_rhs -// (bv: bit_vec 256) (n: nat {n < 16}) -// : Lemma (requires bv == madd_rhs n) -// (ensures ) -// = () - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst deleted file mode 100644 index 0c60d6587..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst +++ /dev/null @@ -1,203 +0,0 @@ -module BitVec.Intrinsics.TestShuffle - -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Intrinsics - -assume val stuck: #a:Type -> #b:Type -> a -> b - -let index64 l (i: nat {i < List.Tot.length l}) = - match l with - | [x0;x1;x2;x3] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3) - | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3 | 4 -> x4 | 5 -> x5 | 6 -> x6 | 7 -> x7 | 8 -> x8 | 9 -> x9 | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 - | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 - | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 - | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63) - | _ -> stuck "index" - -assume val nth: list bit -> nat -> bit - -let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n) - = mk_bv (fun i -> nth (index64 l (i / n)) (i % n)) - -let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0] - -type result #t0 #t1 #t2 #t3 #t4 = { - vector: t0; - adjacent_2_combined: t1; - adjacent_8_combined: t2; - combined': t3; - combined: t4; - } - -// /// We view `x` as a sequence of pairs of 16 bits, of the shape -// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = -// mk_bv (fun i -> let j = i % 32 in -// // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` -// let is_zero = -// // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` -// j >= n * 2 -// in -// if is_zero -// then 0 -// else if j < n -// then x i // we want to produce the bit `aⱼ` -// else -// // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// x (i - n + 16) -// ) - -// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = -// mk_bv (fun i -> -// let j = i / 32 in -// let index = (List.Tot.index b (7 - j) % 8) * 32 in -// a (index + i % 32)) - -let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_madd_epi16_specialized' vector 4 - // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - // (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255] -let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127] - -let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = - let input = bv_of_list_list 4 [ - a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z; - e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z; - i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z; - m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z; - - // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d; - // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h; - // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l; - // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p; - ] in - serialize_4_ input - - -// let xx a b c d e f g h i j k l m n o p = -// Pervasives.norm [iota; primops; zeta_full; delta] ( -// Pervasives.norm [iota; primops; zeta; delta] ( -// let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in -// let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in -// let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in -// let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in -// let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in -// let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in -// // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx) -// {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} -// // (vector, adjacent_2_combined) -// ) -// ) - - - -open FStar.Tactics.V2 -open Tactics.Utils - - -open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128} -// open BitVec.Intrinsics { - -// } - -#push-options "--compat_pre_core 0" -let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - BitVec.Intrinsics.mm256_madd_epi16 vector - (BitVec.Intrinsics.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); - assert (forall (i: nat {i < 64}). - // let local_i = i / 4 in - combined i == vector ((i / 4) * 16 + i % 4) - ) by ( - // unfold wrappers - norm [primops; iota; zeta; delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils"; - ]]; - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> - let reduce t = - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]]; - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); - flip (); smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - // focus (fun _ -> dump' "Goal!!"); - trivial () - )) - ); - combined diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti deleted file mode 100644 index a101013a6..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ /dev/null @@ -1,425 +0,0 @@ -module BitVec.Intrinsics - -open Core -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Equality -open Tactics.Utils - -(*** The intrinsics *) -let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit >= v shift then vec (i - v shift) else 0) - -let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit < 16 - v shift then vec (i + v shift) else 0) - -let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 64 in - if nth_bit < 64 - v shift then vec (i + v shift) else 0) - -let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec i) -let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec (i + 128)) - -let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256 - = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128)) - -let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128 - = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8))) - -let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i32) = get_bit x (sz (i % 32)) in - match i / 32 with - | 0 -> h x7 | 1 -> h x6 | 2 -> h x5 | 3 -> h x4 - | 4 -> h x3 | 5 -> h x2 | 6 -> h x1 | 7 -> h x0) - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i16) = get_bit x (sz (i % 16)) in - match i / 16 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8) - : bit_vec 128 - = mk_bv (fun i -> - let h (x: u8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm256_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x31 | 1 -> h x30 | 2 -> h x29 | 3 -> h x28 - | 4 -> h x27 | 5 -> h x26 | 6 -> h x25 | 7 -> h x24 - | 8 -> h x23 | 9 -> h x22 | 10 -> h x21 | 11 -> h x20 - | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16 - | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12 - | 20 -> h x11 | 21 -> h x10 | 22 -> h x9 | 23 -> h x8 - | 24 -> h x7 | 25 -> h x6 | 26 -> h x5 | 27 -> h x4 - | 28 -> h x3 | 29 -> h x2 | 30 -> h x1 | 31 -> h x0 - ) - -val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 -let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 - = mk_bv (fun i -> if i % 16 < n then 1 else 0) - -let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> if y i = 0 then 0 else x i) - -let mm256_set1_epi16 (constant: i16) - (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) - | _ -> (quote (mm256_set1_epi16_no_semantics constant)) - )]result: bit_vec 256) - : bit_vec 256 = result - -private let saturate8 (v: bit_vec 16): bit_vec 8 - = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) - = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 - in - let any1 = on_upper_bits ( || ) (fun i -> v i = 1) in - let all1 = on_upper_bits ( && ) (fun i -> v i = 1) in - let negative = v 15 = 1 in - mk_bv (fun i -> - let last_bit = i = 7 in - if negative - then if last_bit - then 1 - else if all1 - then v i - else 0 - else if any1 - then if last_bit - then 0 - else 1 - else v i - ) - -let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128 - = mk_bv (fun j -> - if j < 16 - then a ((j * 8) + 7) - else 0 - ) - -let mm_movemask_epi8 (a: bit_vec 128): i32 - = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i)) - -let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 - = mk_bv (fun i -> - let nth_block = i / 8 in - let offset8 = nth_block * 8 in - let offset16' = nth_block * 16 in - let offset16 = offset16' % 128 in - let vec: bit_vec 128 = if offset16' < 128 then a else b in - saturate8 (mk_bv (fun j -> vec (offset16 + j))) (i - offset8) - ) - - - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 % 2 = 0 then 4 else 0 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = 6 - (nth_i16 % 4) * 2 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This term will be stuck, we don't know anything about it -val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 - -open FStar.Tactics.V2 - - - -let mm256_mullo_epi16 - (a count: bit_vec 256) - (#[( - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a)) - else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) - else - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a)) - else - Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) - )]result: bit_vec 256): bit_vec 256 = result - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 -> bit_vec 256 - -let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) - : r:bool {r <==> (forall i. f i)} - = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = - match n with - | 0 -> true - | _ -> f (n - 1) && h (n - 1) - in h max - -/// We view `x` as a sequence of pairs of 16 bits, of the shape -/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = - mk_bv (fun i -> let j = i % 32 in - // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` - let is_zero = - // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` - j >= n * 2 - in - if is_zero - then 0 - else if j < n - then x i // we want to produce the bit `aⱼ` - else - // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - x (i - n + 16) - ) - -let mm256_concat_pairs_n - (n: u8 {v n < 16}) - (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) = - mm256_madd_epi16_specialized' x (v n) - -let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = - if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) - then mm256_madd_epi16_specialized' x n - else mm256_madd_epi16_no_semantic x (madd_rhs n) - -val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128 -let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (15 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm_shuffle_epi8 - (x y: bit_vec 128) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> - mm_set_epi8 - (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 ) - (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] -> - `(mm_shuffle_epi8_u8 (`@x) - (mk_list_16 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15))) - | _ -> quote (mm_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 128) - : bit_vec 128 - = result - -val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (31 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm256_shuffle_epi8 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> - mm256_set_epi8 - (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 ) - (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15) - (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23) - (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] -> - `(mm256_shuffle_epi8_i8 (`@x) - (mk_list_32 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15) - (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) - (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31))) - | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = - mk_bv (fun i -> - let j = i / 32 in - let index = (List.Tot.index b (7 - j) % 8) * 32 in - a (index + i % 32)) - -let mm256_permutevar8x32_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_permutevar8x32_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256 -let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 32 in - let shift = List.Tot.index counts (7 - i / 32) in - if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0) - -let mm256_sllv_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_sllv_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_sllv_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - - -let mm256_madd_epi16 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with - | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) - | _ -> quote (mm256_madd_epi16_no_semantic x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128) - // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))} - : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i} - -open FStar.Stubs.Tactics.V2.Builtins -open FStar.Stubs.Tactics.V2 -open FStar.Tactics.V2.Derived -open FStar.Tactics.V2 - -let rec bv_to_string #len (bv: bit_vec len): string - = if len = 0 then "" - else string_of_int (bv (len - 1)) - ^ bv_to_string #(len - 1) (mk_bv (fun i -> bv i)) - -let bv_of_string #len (s: string): Tac (bit_vec len) - = let l = FStar.String.list_of_string s - |> filter (function ' ' | '\n' -> false | _ -> true) - |> map #_ #bit (function '1' -> 1 <: bit | '0' -> 0 | c -> fail ("expected 0 or 1, got [" ^ String.string_of_char c ^ "]")) in - if FStar.List.Tot.length l = len - then mk_bv (fun (i: nat {i < len}) -> List.Tot.index l i) - else fail ("expected a bv of length " ^ string_of_int len ^ ", got a bv of length " ^ string_of_int (FStar.List.Tot.length l)) - -let call_native_intrinsic' #ilen name raw_args (bitvecs: list (bit_vec ilen)) : Tac string = - let bitvecs = List.Tot.map bv_to_string bitvecs in - let args = List.Tot.append raw_args bitvecs in - let result = launch_process "bash" ("/tmp/run.sh"::name::args) "" in - print ("process stdout is [" ^ result ^ "]"); - FStar.String.list_of_string result - |> filter (function ' ' | '\n' -> false | _ -> true) - |> String.string_of_list - -let call_native_intrinsic #ilen olen name raw_args (bitvecs: list (bit_vec ilen)) : Tac (bit_vec olen) = - bv_of_string (call_native_intrinsic' #ilen name raw_args bitvecs) - -let random_bv len: Tac (bit_vec len) - = call_native_intrinsic #1 _ "rand" [string_of_int len] [] - -let tassert (x: bool): Tac unit - = if x then () else fail "tassert" - - -private let example: bit_vec 256 = mk_bv (fun i -> if i % 16 = 15 then 1 else 0) - -private let x = bv_to_string example -private let y = bv_to_string (mm256_srli_epi16 15l example) - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst deleted file mode 100644 index 3d2d19c98..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ /dev/null @@ -1,67 +0,0 @@ -module BitVec.Utils - -open Core -open FStar.FunctionalExtensionality -open BitVec.Equality -open Rust_primitives.BitVectors - -let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) - : (l:list a {List.Tot.length l == 32}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in - assert_norm (List.Tot.length l == 32); - l - -let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a) - : (l:list a {List.Tot.length l == 16}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in - assert_norm (List.Tot.length l == 16); - l - -let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) - : (l:list a {List.Tot.length l == 8}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in - assert_norm (List.Tot.length l == 8); - l - -let rw_get_bit_cast #t #u - (x: int_t t) (nth: usize) - : Lemma (requires v nth < bits u /\ v nth < bits u) - (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) - [SMTPat (get_bit (cast_mod #t #u x) nth)] - = () - -let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) - : Lemma (requires v y >= 0 /\ v y < bits t) - (ensures eq2 #bit (get_bit (x >>! y) i ) - (if v i < bits t - v y - then get_bit x (mk_int (v i + v y)) - else if signed t - then get_bit x (mk_int (bits t - 1)) - else 0)) - = () - -unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool) - -> r: bool {r <==> (forall i. pred i)} - -let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3 - && pred 4 && pred 5 && pred 6 && pred 7 - -#push-options "--z3rlimit 400" -let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8)) -let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16)) -let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32)) -let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64)) -let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128)) -#pop-options - -let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) - -let bit_vec_to_int_t_lemma - #t (d: num_bits t) (bv: bit_vec d) - i - : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i) - [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))] - = bit_vec_to_int_t_lemma d bv i - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fst b/fstar-helpers/fstar-bitvec/BitVecEq.fst deleted file mode 100644 index c89f2fe35..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fst +++ /dev/null @@ -1,12 +0,0 @@ -module BitVecEq - -open Core -open FStar.Mul -open FStar.FunctionalExtensionality - -let bit_vec_equal #n bv1 bv2 = forall i. bv1 i == bv2 i - -let bit_vec_equal_intro bv1 bv2 = () -let bit_vec_equal_elim bv1 bv2 = assert (feq bv1 bv2) - - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti deleted file mode 100644 index c370f28bf..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fsti +++ /dev/null @@ -1,293 +0,0 @@ -module BitVecEq -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul -open MkSeq -open FStar.FunctionalExtensionality - -val bit_vec_equal (#n: nat) (bv1 bv2: bit_vec n): Type0 -val bit_vec_equal_intro (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires forall i. bv1 i == bv2 i) - (ensures bit_vec_equal bv1 bv2) -val bit_vec_equal_elim (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires bit_vec_equal #n bv1 bv2) - (ensures bv1 == bv2) - [SMTPat (bit_vec_equal #n bv1 bv2)] - -let bit_vec_equal_intro_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2 - with _. bit_vec_equal_intro #n bv1 bv2 - -let bit_vec_equal_elim_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i)) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i) - with _. bit_vec_equal_elim #n bv1 bv2 - -let bit_vec_equal_trivial (bv1 bv2: bit_vec 0): Lemma (bv1 == bv2) - [SMTPat (eq2 #(bit_vec 0) bv1 bv2)] - = bit_vec_equal_intro bv1 bv2 - -let bit_vec_sub #n (bv: bit_vec n) (start: nat) (len: nat {start + len <= n}) - : bit_vec len - = on (i: nat {i < len}) - (fun i -> bv (start + i)) - -let bit_vec_equal_trivial_sub_smtpat (bv1: bit_vec 'n) - : Lemma (forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2) - [SMTPat (bit_vec_sub bv1 0 0)] - = introduce forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2 - with bit_vec_equal_trivial (bit_vec_sub bv1 0 0) bv2 - -unfold let retype #a #b (#_:unit{a == b}) - (x: a): b - = x - -let bit_vec_sub_all_lemma #n (bv: bit_vec n) - : Lemma (bit_vec_sub bv 0 n == bv) - [SMTPat (bit_vec_sub bv 0 n)] - = bit_vec_equal_intro (bit_vec_sub bv 0 n) bv - -let int_t_array_bitwise_eq' - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_equal (bit_vec_of_int_t_array arr1 d1) - (retype (bit_vec_of_int_t_array arr2 d2)) - -let int_t_array_bitwise_eq - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_of_int_t_array arr1 d1 == bit_vec_of_int_t_array arr2 d2 - -// let get_bit_intro () -// : Lemma (forall (#n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth))) -// = introduce forall (n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth)) -// with get_bit_intro #n x nth - -#push-options "--fuel 0 --ifuel 0 --z3rlimit 80" -/// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...` -let int_t_seq_slice_to_bv_sub_lemma #t #n - (arr: t_Array (int_t t) n) - (start: nat) (len: usize {start + v len <= v n}) - (d: num_bits t) - : Lemma ( bit_vec_of_int_t_array (Seq.slice arr start (start + v len) <: t_Array _ len) d - `bit_vec_equal` bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d)) - [SMTPat (bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))] - = let bv1 = bit_vec_of_int_t_array #_ #len (Seq.slice arr start (start + v len)) d in - let bv2 = bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d) in - introduce forall i. bv1 i == bv2 i - with ( Seq.lemma_index_slice arr start (start + v len) (i / d); - Math.Lemmas.lemma_div_plus i start d; - Math.Lemmas.lemma_mod_plus i start d); - bit_vec_equal_intro bv1 bv2 - -#push-options "--split_queries always" -let int_t_eq_seq_slice_bv_sub_lemma #t #n1 #n2 - (arr1: t_Array (int_t t) n1) (arr2: t_Array (int_t t) n2) (d: num_bits t) - (start1 start2: nat) (len: nat {start1 + len <= v n1 /\ start2 + len <= v n2}) - : Lemma (requires Seq.slice arr1 start1 (start1 + len) == Seq.slice arr2 start2 (start2 + len)) - (ensures bit_vec_equal - (bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d))) - [SMTPat ((bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) == - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))] - = let len = sz len in - int_t_seq_slice_to_bv_sub_lemma arr1 start1 len d; - int_t_seq_slice_to_bv_sub_lemma arr2 start2 len d; - // bit_vec_equal_elim_principle (); - bit_vec_equal_intro_principle () -#pop-options - -let bit_vec_equal_extend #n1 #n2 - (bv1: bit_vec n1) (bv2: bit_vec n2) (start1 start2: nat) - (len1: nat) - (len2: nat { start1 + len1 + len2 <= n1 /\ start2 + len1 + len2 <= n2}) - : Lemma - (requires - bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1 - /\ bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2) - (ensures bit_vec_sub bv1 start1 (len1+len2) == bit_vec_sub bv2 start2 (len1+len2)) - // [SMTPat (bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1); - // SMTPat () - // ] - // SMTPat (bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)] - = let left1 = bit_vec_sub bv1 start1 len1 in - let left2 = bit_vec_sub bv2 start2 len1 in - let right1 = bit_vec_sub bv1 (start1 + len1) len2 in - let right2 = bit_vec_sub bv2 (start2 + len1) len2 in - // () - // bit_vec_equal_elim left1 left2 ; - // bit_vec_equal_elim right1 right2; - let entire1 = bit_vec_sub bv1 start1 (len1 + len2) in - let entire2 = bit_vec_sub bv2 start2 (len1 + len2) in - assert (forall (i:nat). i < len1 ==> left1 i == left2 i); - assert (forall (i:nat). i < len2 ==> right1 i == right2 i); - introduce forall (i:nat). i < len1 + len2 ==> entire1 i == entire2 i - with introduce i < len1 + len2 ==> entire1 i == entire2 i - with _. if i < len1 then assert (left1 i == left2 i) - else assert (entire1 i == right1 (i - len1)); - bit_vec_equal_intro entire1 entire2 -#pop-options - -// let bit_vec_equal_trans (#n: nat) (bv1 bv2 bv3: bit_vec n) -// : Lemma (requires bv1 `bit_vec_equal` bv2 /\ bv2 `bit_vec_equal` bv3) -// (ensures bv1 `bit_vec_equal` bv3) -// = bit_vec_equal_elim_principle (); -// bit_vec_equal_intro_principle () - -(* -let int_arr_bitwise_eq_range - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - = bit_vec_equal #bits (fun i -> bit_vec_of_int_t_array arr1 d1 (i + offset1)) - = forall (k: nat). k < bits ==> - bit_vec_of_int_t_array arr1 d1 (offset1 + k) - == bit_vec_of_int_t_array arr2 d2 (offset2 + k) - -let int_arr_bitwise_eq_range_comm - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - : Lemma (requires int_arr_bitwise_eq_range arr1 d1 arr2 d2 offset1 offset2 bits) - (ensures int_arr_bitwise_eq_range arr2 d2 arr1 d1 offset2 offset1 bits) - = () - -// kill that function in favor of range -let int_arr_bitwise_eq_up_to - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - (max: nat {max <= v n1 * d1}) - - = forall i. i < max - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_ - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = int_arr_bitwise_eq_up_to arr1 d1 arr2 d2 (v n1 * d1) - -// move to fsti -let bit_vec_equal #n (bv1 bv2: bit_vec n) - = forall i. i < n ==> bv1 i == bv2 i - -let int_arr_bitwise_eq - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = forall i. i < v n1 * d1 - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_range_transitivity - #t1 #t2 #t3 #n1 #n2 #n3 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement3: int_t t3 -> Type0) - (arr3: t_Array (x: int_t t3 {refinement3 x}) n3) - (d3: num_bits t3) - (offset1 offset2 offset3: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - /\ offset3 + bits <= v n3 * d3 - }) - : Lemma - (requires int_arr_bitwise_eq_range #t1 #t2 #n1 #n2 arr1 d1 arr2 d2 offset1 offset2 bits - /\ int_arr_bitwise_eq_range #t2 #t3 #n2 #n3 arr2 d2 arr3 d3 offset2 offset3 bits) - (ensures int_arr_bitwise_eq_range #t1 #t3 #n1 #n3 arr1 d1 arr3 d3 offset1 offset3 bits) - = () - - -let int_arr_bitwise_eq_range_intro - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - : Lemma - (requires int_arr_bitwise_eq arr1 d1 arr2 d2) - (ensures int_arr_bitwise_eq_range arr1 d1 arr2 d2 0 0 (v n1 * d1)) - = admit () - -let int_arr_bitwise_eq_range_intro_eq_slice - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement x}) n1) - (arr2: t_Array (x: int_t t {refinement x}) n2) - (d: num_bits t) - (offset1 offset2: nat) - (n: nat {offset1 + n < v n1 /\ offset2 + n < v n2}) - (bits: nat { - offset1 + bits <= v n1 * d - /\ offset2 + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires Seq.slice arr1 offset1 (offset1 + n) == Seq.slice arr2 offset2 (offset2 + n)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d offset1 offset2 bits) - = admit () - -let int_arr_bitwise_eq_range_intro_eq - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement1 x}) n1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t -> Type0) - (arr2: t_Array (x: int_t t {refinement2 x}) n2) - (d: num_bits t) - (n_offset1 n_offset2: nat) - (n: nat {n_offset1 + n <= v n1 /\ n_offset2 + n <= v n2}) - // (offset1 offset2: nat) - (bits: nat { - n_offset1 * d + bits <= v n1 * d - /\ n_offset2 * d + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires forall (i: nat). i < n ==> Seq.index arr1 (i + n_offset1) == Seq.index arr2 (i + n_offset2)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) - = admit () -*) diff --git a/fstar-helpers/fstar-bitvec/MkSeq.fst b/fstar-helpers/fstar-bitvec/MkSeq.fst deleted file mode 100644 index 89c8e0216..000000000 --- a/fstar-helpers/fstar-bitvec/MkSeq.fst +++ /dev/null @@ -1,59 +0,0 @@ -module MkSeq -open Core - -open FStar.Tactics.V2 - -private let init (len: nat) (f: (i:nat{i < len}) -> Tac 'a): Tac (list 'a) - = let rec h (i: nat {i <= len}): Tac (list 'a) - = if i = len then [] else f i :: h (i + 1) - in h 0 - -private let tuple_proj (n: nat) (i: nat): Tac term - = if n = 1 then `(id) else - let name = "__proj__Mktuple" ^ string_of_int n ^ "__item___" ^ string_of_int (i + 1) in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -private let tuple_type (n: nat): Tac term - = if n = 1 then `(id) else - let name = "tuple" ^ string_of_int n in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -open Rust_primitives.Integers - -private let create_gen_tac (n: nat): Tac sigelt - = let typ_bd = {fresh_binder_named "t" (`Type0) with qual = FStar.Reflection.V2.Q_Implicit} in - let typ = binder_to_term typ_bd in - let input_typ = mk_e_app (tuple_type n) (init n (fun _ -> typ)) in - let input_bd = fresh_binder_named "tup" input_typ in - let output_type = `t_Array (`#typ) (sz (`@n)) in - let nth i = `((`#(tuple_proj n i)) (`#input_bd)) in - let mk_and: term -> term -> Tac term = fun t u -> `(`#t /\ `#u) in - let post = - let mk_inv s i = `(Seq.index (`#s) (`@i) == (`#(tuple_proj n i)) (`#input_bd)) in - let invs s = Tactics.fold_left mk_and (`(Seq.length (`#s) == (`@n))) (init n (mk_inv s)) in - let bd = fresh_binder_named "s" output_type in - mk_abs [bd] (invs bd) - in - let comp = C_Eff [] ["Prims"; "Pure"] - (`t_Array (`#typ) (sz (`@n))) - [ (`(requires True), Q_Explicit); (post, Q_Explicit)] [] - in - let args = [typ_bd; input_bd] in - let l = Tactics.fold_right (fun hd tl -> `((`#hd)::(`#tl))) (init n nth) (`[]) in - let indexes = - let f i = `((`#(nth i)) == List.Tot.index (`#l) (`@i)) in - Tactics.fold_left mk_and (`True) (init n f) - in - let lb_def = mk_abs args (`( - let l = `#l in - let s = Seq.createL l <: t_Array (`#typ) (sz (`@n)) in - FStar.Classical.forall_intro (Seq.lemma_index_is_nth s); - assert (`#indexes) by (Tactics.norm [primops; iota; delta; zeta]); - s - )) in - let lb_typ = mk_arr args (pack_comp comp) in - let open FStar.List.Tot in - let lb_fv = pack_fv (cur_module () @ ["create" ^ string_of_int n]) in - Sg_Let { isrec = false; lbs = [{ lb_fv; lb_us = []; lb_typ; lb_def }] } - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff --git a/fstar-helpers/fstar-bitvec/RwLemmas.fst b/fstar-helpers/fstar-bitvec/RwLemmas.fst deleted file mode 100644 index 1fc1e00de..000000000 --- a/fstar-helpers/fstar-bitvec/RwLemmas.fst +++ /dev/null @@ -1,71 +0,0 @@ -module RwLemmas - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq {} - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -#push-options "--z3rlimit 40" -let deserialize_10_int (bytes: t_Array u8 (sz 10)) = - let r0:i16 = - (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r2:i16 = - (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r3:i16 = - ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) - in - let r4:i16 = - (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r6:i16 = - (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r7:i16 = - ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) - in - let result:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - in - result -#pop-options - -let deserialize_10_int' (bytes: t_Array u8 (sz 10)): t_Array i16 (sz 8) - = MkSeq.create8 (deserialize_10_int bytes) - -#push-options "--compat_pre_core 0" -#push-options "--z3rlimit 80" -let fff_ (bytes: t_Array u8 (sz 10)) x: unit = - let bv1 = bit_vec_of_int_t_array bytes 8 in - let out = deserialize_10_int' bytes in - let bv2 = bit_vec_of_int_t_array out 10 in - assert (forall (i: nat { i < 80 }). bv1 i == bv2 i) by ( - Tactics.GetBit.prove_bit_vector_equality () - ) -#pop-options - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst deleted file mode 100644 index c5ead30b0..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst +++ /dev/null @@ -1,82 +0,0 @@ -module Tactics.Folds - -open Core -module L = FStar.List.Tot -module S = FStar.Seq.Base -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Rust_primitives.Hax.Folds - -open Tactics.Utils - -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// = if v start_ < v end_ -// then fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init - - -// #push-options "--z3rlimit 100" -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// : Lemma ( fold_range start_ end_ inv init f -// == ( if v start_ < v end_ -// then -// fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init ) -// ) -// = admit () -// #pop-options - -// let expect_fold_range t -// = let?# (fr, [acc_t,_;u,_;start_,_;end_,_;inv,_;init,_;f,_]) = expect_app_n t 7 in -// let _ = expect_free_var fr (`%fold_range) in -// Some (acc_t, u, start_, end_, inv, init, f) - -// let make_fold_range_lemma (start_: nat) (end_: nat): Tac _ = -// let _ = tcut (quote (squash (forall acc_t u inv init f. -// fold_range #acc_t #u start_ end_ inv init f -// == fold_range #acc_t #u start_ end_ inv init f -// ))) in -// flip (); -// let acc_t = forall_intro () in -// let u = forall_intro () in -// let inv = forall_intro () in -// let init = forall_intro () in -// let f = forall_intro () in -// fail "xx"; -// let _ = rewrite_rhs () in -// flip (); -// focus (fun _ -> -// fail "xx"; -// apply_lemma_rw (`unfold_fold_range) -// ); -// () -// // rewrite_lhs -// // let aux start_ = - -// jlet _ = -// assert true by (make_fold_range_lemma 1 10) - -// in - - -// let tactic_fold_range t -// = let?# expect_fold_range _ = - diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst deleted file mode 100644 index abec9b4fe..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst +++ /dev/null @@ -1,66 +0,0 @@ -/// Provides tactics around `get_bit _ _ == get_bit _ _` goals -module Tactics.GetBit - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq -open Tactics.Seq - - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -/// Does one round of computation -let compute_one_round (): Tac _ = - norm [ iota; zeta; reify_ - ; delta_namespace [ - "FStar" - ; "BitVecEq" - ; implode_qn (cur_module ()) - ; "MkSeq" - ; `%Rust_primitives.Hax.array_of_list - ; `%Libcrux_ml_kem.Vector.Portable.Vector_type.__proj__Mkt_PortableVector__item__f_elements - ] - ; primops; unmeta]; - trace "compute_one_round: norm_pow2" norm_pow2; - trace "compute_one_round: norm_machine_int" norm_machine_int; - trace "compute_one_round: norm_index" norm_index - -/// Normalizes up to `get_bit` -let compute': unit -> Tac unit = goal_fixpoint compute_one_round - -/// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal) -let prove_bit_vector_equality'' (): Tac unit = - norm [ - iota; - primops; - delta_only [`%bit_vec_of_int_t_array; `%FunctionalExtensionality.on]; - delta_namespace [ - implode_qn (cur_module ()); - "Libcrux_intrinsics.Avx2_extract"; - "BitVec.Intrinsics"; - "BitVecEq"; - ]; - ]; - compute_one_round (); - prove_forall_nat_pointwise (print_time "SMT solved the goal in " (fun _ -> - Tactics.Seq.norm_index_minimal (); - l_to_r [`bit_vec_to_int_t_lemma]; - print ("Ask SMT: " ^ term_to_string (cur_goal ())); - focus smt_sync - )) -let prove_bit_vector_equality' (): Tac unit = - if lax_on () - then iterAll tadmit - else prove_bit_vector_equality'' () -let prove_bit_vector_equality (): Tac unit = - set_rlimit 100; - with_compat_pre_core 0 prove_bit_vector_equality' diff --git a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst deleted file mode 100644 index 85bb0bb78..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst +++ /dev/null @@ -1,273 +0,0 @@ -/// This module interprets machine integers terms that comes from -/// `FStar.[U]Int*` modules or from `Rust_primtiives.Integers` module. -/// It can then convert from and back those two representation, -/// normalize them, etc. -module Tactics.MachineInts - -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Option - -open Tactics.Utils -module RI = Rust_primitives.Integers - -/// The size of a machine int -type size = - | PtrSize - | Size of n:nat {match n with | 8 | 16 | 32 | 64 | 128 -> true | _ -> false} -/// The signedness of a machine int -type signedness = | Signed | Unsigned - -/// The operations we recognize on machine ints -type machine_int_op = | MkInt | V - -/// The AST of a machine int expression -noeq type machine_int_term = - /// Operations `mk_int` (aka `FStar.[U]Int*.[u]int_to_t`) and `v` - | Op { /// Which operation is it? - op: machine_int_op - /// Is that a generic (Rust_primitives.Integers) operation or a native one (FStar.[U]Int*)? - ; native: bool - ; size: size - ; signedness: signedness - ; contents: machine_int_term } - /// A (math) integer literal - | Lit of int - /// An arbitrary term - | Term of term - -/// Expect `n` to be a definition in a machine int namespace -let expect_native_machine_int_ns (n: string): (option (signedness & size & string)) - = match explode_qn n with - | "FStar"::int_module::[def_name] -> - let? (sign, size) = match int_module with - | "Int8" -> Some (Signed, Size 8) - | "Int16" -> Some (Signed, Size 16) - | "Int32" -> Some (Signed, Size 32) - | "Int64" -> Some (Signed, Size 64) - | "Int128" -> Some (Signed, Size 128) - | "UInt8" -> Some (Unsigned, Size 8) - | "UInt16" -> Some (Unsigned, Size 16) - | "UInt32" -> Some (Unsigned, Size 32) - | "UInt64" -> Some (Unsigned, Size 64) - | "UInt18" -> Some (Unsigned, Size 128) - | _ -> None - in Some (sign, size, def_name) - | _ -> None - -/// Given a sign and a size, produces the correct namespace `FStar.[U]Int*` -let mk_native_machine_int_ns (sign: signedness) (size: size): option (list string) - = let sign = match sign with | Signed -> "" | Unsigned -> "U" in - let? size = match size with | PtrSize -> None | Size n -> Some (string_of_int n) in - Some ["FStar"; sign ^ "Int" ^ size] - -/// Interpret HACL*'s `inttype`s -let expect_inttype t: Tac (option (signedness & size)) - = let t = norm_term [iota; reify_; delta_namespace ["Rust_primitives.Integers"; "Lib.IntTypes"]; primops; unmeta] t in - let?# t = expect_fvar t in - match t with - | `%RI.i8_inttype | `%Lib.IntTypes.S8 -> Some ( Signed, Size 8) - | `%RI.i16_inttype | `%Lib.IntTypes.S16 -> Some ( Signed, Size 16) - | `%RI.i32_inttype | `%Lib.IntTypes.S32 -> Some ( Signed, Size 32) - | `%RI.i64_inttype | `%Lib.IntTypes.S64 -> Some ( Signed, Size 64) - | `%RI.i128_inttype | `%Lib.IntTypes.S128 -> Some ( Signed, Size 128) - | `%RI.u8_inttype | `%Lib.IntTypes.U8 -> Some (Unsigned, Size 8) - | `%RI.u16_inttype | `%Lib.IntTypes.U16 -> Some (Unsigned, Size 16) - | `%RI.u32_inttype | `%Lib.IntTypes.U32 -> Some (Unsigned, Size 32) - | `%RI.u64_inttype | `%Lib.IntTypes.U64 -> Some (Unsigned, Size 64) - | `%RI.u128_inttype | `%Lib.IntTypes.U128 -> Some (Unsigned, Size 128) - | `%RI.isize_inttype -> Some (Signed, PtrSize) - | `%RI.usize_inttype -> Some (Unsigned, PtrSize) - | _ -> None - -/// Given a signedness and a size, creates a name `[ui]*_inttype` -let mk_inttype_name (sign: signedness) (size: size): name = - let sign = match sign with | Signed -> "i" | Unsigned -> "u" in - let size = match size with | PtrSize -> "size" | Size n -> string_of_int n in - ["Rust_primitives"; "Integers"; sign ^ size ^ "_inttype"] - -/// Given a signedness and a size, creates a term `[ui]*_inttype` -let mk_inttype (sign: signedness) (size: size): Tac term = - pack (Tv_FVar (pack_fv (mk_inttype_name sign size))) - -/// Interprets a term as a machine int. This function always returns -/// something: when `t` is not a machine int expression we recognize, -/// it returns `Term t`. Below, `term_to_machine_int_term` returns an -/// option. -let rec term_to_machine_int_term' (t: term): Tac machine_int_term = - match term_to_machine_int_term'' t with | Some t -> t | None -> Term t -and term_to_machine_int_term'' (t: term): Tac (option machine_int_term) = - let t = norm_term [delta_only [(`%RI.sz); (`%RI.isz)]] t in - match t with - | Tv_Const (C_Int n) -> Some (Lit n) - | _ -> - let?# (hd, args) = collect_app_hd t in - match expect_native_machine_int_ns hd, args with - | (Some (signedness, size, def_name), [arg, _]) -> begin - let native = true in - let contents = term_to_machine_int_term' arg in - let?# op = match def_name with - | "__uint_to_t" | "__int_to_t" | "uint_to_t" | "int_to_t" -> Some MkInt - | "v" -> Some V | _ -> None in - Some (Op {op; native; size; signedness; contents}) - end - | (None, [inttype, _; contents, _]) -> begin - let?# (signedness, size) = expect_inttype inttype in - let contents = term_to_machine_int_term' contents in - let?# op = match hd with | `%RI.mk_int -> Some MkInt - | `%RI.v -> Some V - | _ -> None in - Some (Op {op; native = false; size; signedness; contents}) - end - | _ -> None - -/// Tries to interpret a term as a machine int -let term_to_machine_int_term (t: term): Tac (option (t: machine_int_term {~(Term? t)})) - = match term_to_machine_int_term' t with - | Term _ -> None | t -> Some t - -/// Transform a machine int AST into a term. Note that this doesn't -/// support native usize/isize (aka `FStar.SizeT`), whence the option. -let rec machine_int_term_to_term (t: machine_int_term): Tac (option term) = - match t with - | Term t -> Some t - | Op {native = false; op; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let?# contents = machine_int_term_to_term contents in - let op = match op with | V -> `RI.v - | MkInt -> `RI.mk_int in - Some (`((`#op) #(`#inttype) (`#contents))) - | Op {native = true; op; size; signedness; contents} -> - let?# ns = mk_native_machine_int_ns signedness size in - let f = FStar.List.Tot.append ns [ - match op with - | MkInt -> (match signedness with | Signed -> "" | Unsigned -> "u") ^ "int_to_t" - | V -> "v" - ] in - let f = pack (Tv_FVar (pack_fv f)) in - let?# contents = machine_int_term_to_term contents in - Some (mk_e_app f [contents]) - | Lit n -> Some (pack (Tv_Const (C_Int n))) - -/// An operation on a machine_int_term -type operation = machine_int_term -> option machine_int_term - -/// Removes `mk_int (v ...)` or `v (mk_int ...)` when it's the same type -let rec flatten_machine_int_term: operation = function - | Op x -> begin match x.contents with - | Op y -> if x.op <> y.op && x.size = y.size && x.signedness = y.signedness - then Some (match flatten_machine_int_term y.contents with - | Some result -> result - | None -> y.contents) - else let? y = flatten_machine_int_term (Op y) in - Some (Op {x with contents = y}) - | _ -> None - end - | _ -> None - -/// Makes a machine int native or not -let rec change_native_machine_int_term (native: bool): operation = function - | Op x -> let contents = change_native_machine_int_term native x.contents in - if x.native = native - then None - else Some (Op { x with native - ; contents = match contents with - | Some contents -> contents - | None -> x.contents}) - | _ -> None - -/// Combines two operation together -let combine: operation -> operation -> operation = - fun f g t -> match f t with - | Some t -> (match g t with | Some t -> Some t | None -> Some t) - | None -> g t - -/// We call `x` a normal machine integer if `x` has no `mk_int (v -/// ...)` or `v (mk_int ...)` sequence and if all `mk_int` and `v` are -/// native (aka `FStar.[U]Int*.*`, not -/// `Rust_primitives.Integer.*`). Note `usize` is an exception, -/// `mk_int` and `v` alone one usizes (and isizes) cannot be reduced -/// further. -let norm_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term true) - -/// We call `x` a normal generic machine integer if `x` has no -/// `FStar.[U]Int*.[u]int_to_t/v`, and no `mk_int (v ...)` or `v -/// (mk_int ...)`. -let norm_generic_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term false) - -/// Unfolds `mk_int` using `mk_int_equiv_lemma` -let norm_mk_int () = - let?# (lhs, _) = expect_lhs_eq_uvar () in - let lhs' = term_to_machine_int_term lhs in - match?# lhs' with - | Op {op = MkInt; native = false; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let lemma = `(RI.mk_int_equiv_lemma #(`#inttype)) in - let lemma = norm_term [primops; iota; delta; zeta] lemma in - focus (fun _ -> - apply_lemma_rw lemma - ); - Some () - | _ -> None - -/// Lemmas to deal with the special case of usize -let rw_v_mk_int_usize x - : Lemma (eq2 (RI.v #RI.usize_inttype (RI.mk_int #RI.usize_inttype x)) x) = () -let rw_mk_int_v_usize x - : Lemma (eq2 (RI.mk_int #RI.usize_inttype (RI.v #RI.usize_inttype x)) x) = () - -/// Rewrites `goal_lhs` into `machine_int`. This function expects the -/// goal to be of the shape ` == (?...)`, where `` -/// is a machine int. Do not call this function directly. -let _rewrite_to (goal_lhs: term) (eq_type: typ) (machine_int: machine_int_term): Tac (option unit) - = let?# t_term = machine_int_term_to_term machine_int in - Some (focus (fun _ -> - let rw = tcut (`squash (eq2 #(`#eq_type) (`#goal_lhs) (`#t_term))) in - // This tcut will generate simple verification conditions, we - // discharge them right away - // iterAllSMT (fun () -> smt_sync `or_else` (fun _ -> dump "norm_mk_int: Could not solve SMT here")); - flip (); - pointwise' (fun () -> match norm_mk_int () with - | Some _ -> () - | None -> // special case for usize - (fun () -> (fun () -> apply_lemma_rw (`rw_v_mk_int_usize)) - `or_else` (fun () -> apply_lemma_rw (`rw_mk_int_v_usize))) - `or_else` trefl - ); - compute (); - trefl (); - apply_lemma_rw rw - )) - -/// Rewrites a goal deeply, replacing every machine integer expression -/// `x` by `f x` (when it is `Some _`). -let transform (f: machine_int_term -> option machine_int_term): Tac unit - = pointwise' (fun _ -> - match revert_if_none (fun _ -> - let?# (lhs, eq_type) = expect_lhs_eq_uvar () in - let?# machine_int = term_to_machine_int_term lhs in - let?# machine_int' = f machine_int in - let?# _ = _rewrite_to lhs eq_type machine_int' in - Some () - ) - with - | None -> trefl () - | _ -> () - ) - -open Rust_primitives.Integers -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_machine_int_term) -let _ = assert (v (mk_int #usize_inttype 3) == 3) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_generic_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_generic_machine_int_term; trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst deleted file mode 100644 index 9f6ee1f0f..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst +++ /dev/null @@ -1,58 +0,0 @@ -/// Provides tools to normalize `pow2` -module Tactics.Pow2 - -open Core -open Tactics.Utils -open FStar.Tactics.V2 - -/// Expects `t` to be of the shape `pow2 n`, with `n` a literal, returns n -let expect_pow2_literal t: Tac (option int) - = let?# (f, [x, _]) = expect_app_n t 1 in - let?# () = expect_free_var f (`%pow2) in - expect_int_literal x - -/// Expects `t` to be of the shape `pow2 n - 1`, with `n` a literal, returns n -let expect_pow2_minus_one_literal t: Tac (option int) - = let?# (f, [x, _; y, _]) = expect_app_n t 2 in - let?# () = expect_free_var f (`%op_Subtraction) in - let?# y = expect_int_literal y in - let?? () = y = 1 in - expect_pow2_literal x - -/// Fully normalize a term of the shape `pow2 n`, where `n` is a literal -let norm_pow2 (): Tac unit = - pointwise (fun () -> - let _ = let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_pow2_literal t in - debug ("Normalized `pow2 " ^ string_of_int n ^ "`"); - Some (norm [iota; zeta_full; reify_; delta; primops; unmeta]) in - trefl ()) - -/// Inverse of `pow2` -let rec log2 (n: nat): Tot (option (m: nat {pow2 m == n})) (decreases n) - = if n = 0 then None - else if n = 1 then Some 0 - else if n % 2 <> 0 then None - else match log2 (n / 2) with - | Some n -> Some (1 + n) - | None -> None - -/// Rewrite integers in the goal into `pow2 _ - 1` whenever possible -let rewrite_pow2_minus_one () = - pointwise (fun () -> - match let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_int_literal t in - if n >= 0 then - match log2 (n + 1) with - | Some e -> - let rw_lemma (): Lemma (n == pow2 e - 1) = () in - apply_lemma_rw (quote rw_lemma); - Some () - | _ -> None - else None - with None -> trefl () | _ -> () - ) - -// Test -let _ = fun (i: nat) -> assert (pow2 (i + 3) + pow2 10 == pow2 (i + 3) + 1024) - by (norm_pow2 (); trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst deleted file mode 100644 index 0a7015968..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst +++ /dev/null @@ -1,123 +0,0 @@ -module Tactics.Seq - -open Core -module L = FStar.List.Tot -module S = FStar.Seq -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -(*** Rewrite lemmas *) -private let rw_seq_index_list #t (l: list t) i - : Lemma (S.index (S.seq_of_list l) i == FStar.List.Tot.index l i) - = () -private let rw_index_slice #typ (s: S.seq typ) i j n: Lemma (S.index (S.slice s i j) n == S.index s (normalize_term (i + n))) - = () -private let rw_index_upd s n v i - : Lemma (S.index (S.upd s n v) i == (if n = i then v else S.index s i)) - = () - -/// A version of `L.index` to mark specific instances we want to normalize. -let rec index_to_normalize #a (l: list a) (i:nat{i < L.length l}): Tot a - = let hd::tl = l in - if i = 0 then hd else index_to_normalize tl (i - 1) - -private let rec rw_index_to_index_to_normalize #a (l: list a) (i:nat{i < L.length l}) - : Lemma (L.index #a l i == index_to_normalize #a l i) - = if i = 0 then () else rw_index_to_index_to_normalize (L.tl l) (i - 1) - - -(*** Tactics that apply those lemmas only if needed *) -let tactic_list_index () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%FStar.List.Tot.index) in - let?# n = expect_int_literal index in - apply_lemma_rw (`rw_index_to_index_to_normalize); - Some () - -/// Expects `t` to be of the shape `seq_of_list #_ _` -let expect_seq_of_list (t: term): Tac (option (term & term)) - = let?# (f, [t,_; index,_]) = expect_app_n t 2 in - let?# _ = expect_free_var f (`%S.seq_of_list) in - Some (t, index) - -/// Expects `t` to be of the shape `index #_ _` -let expect_seq_index (t: term): Tac (option (term & term & term)) - = let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%S.index) in - Some (typ, l, index) - -/// Expects `t` to be of the shape `slice #_ _` -let expect_seq_slice (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; j, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.slice) in - Some (typ, s, i, j) - -/// Expects `t` to be of the shape `upd #_ _` -let expect_seq_upd (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; v, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.upd) in - Some (typ, s, i, v) - -let tactic_seq_index_of_list () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (_, l, _) = expect_seq_index t in - let?# _ = expect_seq_of_list l in - apply_lemma_rw (`rw_seq_index_list); - Some () - -let tactic_rw_index_slice () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, j) = expect_seq_slice s in - apply_lemma_rw (`rw_index_slice #(`#typ) (`#s) (`#i) (`#j)); - Some () - -let tactic_rw_index_upd () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, v) = expect_seq_upd s in - apply_lemma_rw (`rw_index_upd #(`#typ) (`#s) (`#i) (`#v)); - Some () - -(*** Final tactics *) -let norm_zeta_full_list_index (): Tac unit - = norm [iota; primops; zeta_full; delta_only [`%index_to_normalize]] - - -let norm_index_minimal (): Tac unit - = pointwise ((unwrap ∘ tactic_list_index) ||> trefl); - norm_zeta_full_list_index () - -let norm_index' (): Tac unit - = pointwise ( (unwrap ∘ tactic_seq_index_of_list) - ||> (unwrap ∘ tactic_list_index) - ||> (unwrap ∘ tactic_rw_index_slice) - ||> (unwrap ∘ tactic_rw_index_upd) - ||> trefl) - -let norm_index (): Tac unit - = goal_fixpoint norm_index' (); - norm_zeta_full_list_index () - - -(*** Tests *) -let _ = assert ( - let s = S.seq_of_list [1;2;3;4;5;6] in - let s = S.slice s 2 4 in - S.index s 1 == 4 -) by (norm []; norm_index (); trefl ()) - -let _ = assert ( - L.index [L.index [1;2;3;4;5;6] (L.index [1;2;3;4;3;3] 2)] 0 == 4 -) by (norm_index(); trefl ()) -let _ = assert ( - S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;4;1]) 3);1]) 3);1]) 3 == 4 -) by (norm_index(); trefl ()) - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst deleted file mode 100644 index 18030a682..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst +++ /dev/null @@ -1,328 +0,0 @@ -module Tactics.Utils - -open Core -open FStar.Option -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul - -(*** Let operators *) -let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b) - = match x with - | Some x -> f x - | None -> None - -let ( let?? ) (x: bool) (f: unit -> Tac (option 'a)): Tac (option 'a) - = if x then f () else None - -(*** Debug helpers *) -/// Dump before failing (in some cases, exception cathing messes with -/// `fail`) -let fail' msg = dump msg; fail msg - -exception Restore -/// Dumps a goal with a minimal number of binders in the environment -let dump' (msg: string): Tac unit - = try set_smt_goals []; - iterAll (fun _ -> let _ = repeat clear_top in ()); - dump msg; - raise Restore - with | _ -> () - -(*** `option _` helpers *) -/// Executes `f`, if it fails, execute `g`. Like `or_else`, but returns -/// a chunk. -let ( ||> ) (f: 'a -> Tac 'b) (g: 'a -> Tac 'b) (a: 'a): Tac 'b - = try f a with | _ -> g a - -exception ExpectedSome -/// Unwraps an option, throws `ExpectedSome` if the option is `None` -let unwrap (x: option 'a): Tac 'a - = match x with - | Some x -> x - | None -> raise ExpectedSome - -/// Expects an option to be `None`, otherwise throws an error -let expect (msg: string) (x: option 'a): Tac 'a - = match x with - | None -> dump' ("Expected " ^ msg); - fail ("Expected " ^ msg) - | Some x -> x - -(*** misc. utils *) -/// Reverse function composition (in Tac) -unfold let (>>>) (f: 'a -> Tac 'b) (g: 'b -> Tac 'c) (x: 'a): Tac 'c - = g (f x) -/// Function composition (in Tac) -unfold let (∘) (f: 'b -> Tac 'c) (g: 'a -> Tac 'b): 'a -> Tac 'c - = g >>> f - - -let trace (fun_name: string) (t: unit -> Tac 'b) = - print (fun_name ^ ": enter"); - let result = - try t () - with | e -> (print (fun_name ^ ": exit (with an exception!)"); raise e) - in - print (fun_name ^ ": exit"); - result - -(*** control utils *) -/// Repeats a tactic `f` until the goal is stable -let goal_fixpoint (f: unit -> Tac unit): unit -> Tac unit - = let rec aux (): Tac _ = - let goal0 = cur_goal () in - f (); - let goal1 = cur_goal () in - if not (term_eq goal0 goal1) then aux () - in aux - -private exception DoRefl -let some_or_refl (f: unit -> Tac (option unit)) - = or_else (fun _ -> match f () with | None -> raise DoRefl | _ -> ()) trefl - -/// Runs `f` on each subterms for rewrite. If `f` is `None` or raises -/// an error, applies `trefl`. -let pointwise_or_refl (f: unit -> Tac (option unit)) - = pointwise (fun _ -> some_or_refl f) - -let rec repeatWhile (f: unit -> Tac bool): Tac unit - = if f () then repeatWhile f - -(*** `expect_*` combinators *) -let expect_int_literal (t: term): Tac (option int) = - match inspect_unascribe t with - | Tv_Const (C_Int n) -> Some n - | _ -> None - -let expect_fvar (t: term): Tac (option string) = - match t with - | Tv_UInst fv _ - | Tv_FVar fv -> Some (implode_qn (inspect_fv fv)) - | _ -> None - -let expect_free_var (t: term) (fv: string): Tac (option unit) = - let?# fv' = expect_fvar t in - if fv = fv' then Some () else None - -let expect_lhs_eq_rhs_term t = - match term_as_formula t with - | Comp (Eq typ) lhs rhs -> - let typ = match typ with | None -> `_ | Some typ -> typ in - Some (lhs, rhs, typ) - | _ -> None - -let expect_lhs_eq_rhs () = - expect_lhs_eq_rhs_term (cur_goal ()) - -let expect_lhs_eq_uvar () = - match expect_lhs_eq_rhs () with - | Some (lhs, rhs, typ) -> - ( match rhs with | Tv_Uvar _ _ -> Some (lhs, typ) | _ -> None ) - | _ -> None - -let expect_app_n t n: Tac (option (term & (l: list _ {L.length l == n}))) = - let (head, args) = collect_app t in - if L.length args = n - then Some (head, args) - else None - -let expect_forall t: Tac _ = - match term_as_formula t with - | Forall bv typ phi -> Some (bv, typ, phi) - | _ -> None - -(*** Rewrite utils *) -private exception ForceRevert -let revert_if_none (f: unit -> Tac (option 'a)): Tac (option 'a) - = try match f () with Some x -> Some x - | None -> raise ForceRevert - with | ForceRevert -> None | e -> raise e - -/// Collects an application whose head is a free variable -let collect_app_hd t: Tac (option (string & list argv)) - = let (hd, args) = collect_app t in - let?# fv = expect_fvar hd in - Some (fv, args) - -let statement_of_lemma (lemma: term) = - let _, comp = collect_arr (tc (cur_env ()) lemma) in - match inspect_comp comp with - | C_Total x - | C_Lemma _ x _ -> ( - match x with - | Tv_Abs _ x -> `(squash (`#x)) - | _ -> `(squash (`#x)) - ) - | _ -> fail "statement_of_lemma: supports only Tot and Lemma" - -let weaken_eq2_lemma (u: Type) (t: Type {subtype_of t u}) (p q: t) () - : Lemma (requires ( == ) #u p q) - (ensures ( == ) #t p q) - = () - -/// `apply_lemma_rw` doesn't work if the goal is `(==) #t ... (?u ...)` while the lemma is `(==) #u .. (?u ....)`. `apply_lemma_rw_eqtype` fixes some of those case, and warns about it. -let apply_lemma_rw_eqtype (lemma: term): Tac unit - = try - apply_lemma_rw lemma - with - | e -> match - let stmt = statement_of_lemma lemma in - let?# (lemma_lhs, lemma_rhs, type_lemma') = expect_lhs_eq_rhs_term stmt in - let?# (goal_lhs, goal_rhs, type_goal') = expect_lhs_eq_rhs () in - let type_lemma = norm_term [delta; iota; primops] type_lemma' in - let type_goal = norm_term [delta; iota; primops] type_goal' in - if term_eq type_lemma type_goal - then None - else - ( print "######## Warning: apply_lemma_rw, rewrite equalities with different type"; - print ("######## Your lemma has eq over type " ^ term_to_string type_lemma); - print ("######## Your goal has eq over type " ^ term_to_string type_goal); - print ("######## Trying to weaken the type of the goal."); - apply_lemma ( - `weaken_eq2_lemma - (`#type_lemma') (`#type_goal') - (`#goal_lhs) (`#goal_rhs) - ); - apply_lemma_rw lemma; - Some () - ) - with | None -> raise e - | Some () -> () - -/// Rewrites LHS of an equality: on goal `squash (x == y)`, it will add `squash (x == (?u ...))`. -let rewrite_lhs (): Tac _ = - let (lhs, _, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_lhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) lhs)) in - tcut (`squash (`#lhs == `#uvar)) - -/// Rewrites RHS of an equality: on goal `squash (x == y)`, it will add `squash (y == (?u ...))`. -let rewrite_rhs (): Tac _ = - let (_, rhs, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_rhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in - tcut (`squash (`#rhs == `#uvar)) - -open FStar.Tactics -(*** Unification *) -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. You probably want `norm_steps` to be `[delta_only -[`%the_name_of_function_fn]]` *) -exception UnifyAppReturn of (option (list term)) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let (* Tactic types are confusing, seems like we need V1 here *) - open FStar.Tactics.V1 in - let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - try - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = `squash True in - let trivial_comp = pack_comp (C_Total trivial) in - unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let fn = `(((`#fn), ())) in - let dummy_var = fresh_namedv_named "dummy_var" in - let t = `(((`#t), (`#dummy_var))) in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let sort = b.binder_sort in - let nv: namedv_view = {uniq; ppname; sort = seal sort} in - (FStar.Reflection.V2.pack_namedv nv, sort) - ) bds in - let vars = - List.Tot.append - vars - [(FStar.Reflection.V2.pack_namedv dummy_var, `())] - in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - raise (UnifyAppReturn ( - if List.Tot.length substs <> List.Tot.length bds + 1 - then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None) - else ( - match substs with - | [] -> None - | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - ))) - with | UnifyAppReturn result -> result - | e -> raise e - -(*** Logging and time *) -let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int) - = let time0 = curms () in - let result = t x in - let time1 = curms () in - (result, time1 - time0) - -let print_time prefix (t: 'a -> Tac 'b) (x: 'a): Tac 'b - = let (result, time) = time_tactic_ms t x in - print (prefix ^ string_of_int (time / 1000) ^ "." ^ string_of_int ((time/100)%10) ^ "s"); - result - -(*** Unroll forall goals *) -let _split_forall_nat - (upper_bound: pos) - ($p: (i:nat{i < upper_bound}) -> Type0) - : Lemma (requires (if upper_bound = 0 then True - else p (upper_bound - 1) /\ (forall (i:nat{i < upper_bound - 1}). p i))) - (ensures forall (i:nat{i < upper_bound}). p i) - = () - - -let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit = - let goals = goals () in - let found_goal = alloc false in - iterAll (fun _ -> - (match expect_forall (cur_goal ()) with - | Some _ -> - if read found_goal - then () - else begin - write found_goal true; - t (); - () - end - | _ -> - ()) - ); - if not (read found_goal) then t () - -/// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int -let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit - = focus_first_forall_goal (fun _ -> - let _ = - (* hacky way of printing the progress *) - let goal = term_to_string (cur_goal ()) in - let goal = match String.split ['\n'] goal with - | s::_ -> s | _ -> "" in - print ("prove_forall_pointwise: " ^ goal ^ "...") - in - apply_lemma (`_split_forall_nat); - trivial `or_else` (fun _ -> - if try norm [primops]; - split (); - true - with | e -> false - then ( - tactic (); - prove_forall_nat_pointwise tactic - ) - ) - ) - -#push-options "--compat_pre_core 2" -private let _example (phi: int -> Type0) (proof: (i:int -> Lemma (phi i))) = - assert (forall (i: nat {i < 40}). phi i) - by ( - prove_forall_nat_pointwise (fun _ -> - apply_lemma (quote proof) - ) - ) -#pop-options diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph deleted file mode 100644 index 58c54a479..000000000 --- a/fstar-helpers/fstar-bitvec/dep.graph +++ /dev/null @@ -1,2316 +0,0 @@ -digraph { - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "prims" - "fstar_seq" -> "prims" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_int32" -> "fstar_int32" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "core_option" -> "fstar_pervasives" - "core_option" -> "fstar_pervasives" - "core_option" -> "prims" - "core_option" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_squash" -> "fstar_squash" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" - "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "prims" - "fstar_tactics_print" -> "prims" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "prims" - "fstar_reflection_v1_compare" -> "prims" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_classical" -> "fstar_classical" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "fstar_seq_properties" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "fstar_calc" -> "fstar_calc" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "core" - "tactics_pow2" -> "core" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "prims" - "tactics_pow2" -> "prims" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "prims" - "fstar_option" -> "prims" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "prims" - "fstar_propositionalextensionality" -> "prims" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "prims" - "fstar_erasedlogic" -> "prims" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "bitveceq" -> "bitveceq" - "fstar_issue" -> "fstar_stubs_pprint" - "fstar_issue" -> "fstar_range" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "prims" - "fstar_issue" -> "prims" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "prims" - "fstar_mul" -> "prims" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_char" - "tactics_utils" -> "fstar_string" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "core" - "tactics_utils" -> "core" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "prims" - "tactics_utils" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "prims" - "fstar_stubs_tactics_types" -> "fstar_issue" - "fstar_stubs_tactics_types" -> "fstar_range" - "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" - "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" - "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "prims" - "fstar_stubs_tactics_types" -> "prims" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "prims" - "fstar_exn" -> "prims" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "core_ops_range" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "core_ops" - "core_iter" -> "core_ops" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "rust_primitives" - "core_iter" -> "rust_primitives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "prims" - "core_iter" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" - "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "fstar_functionalextensionality" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "prims" - "core_iter_adapters_step_by" -> "prims" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_range" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_vconfig" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "prims" - "fstar_tactics_visit" -> "prims" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "fstar_uint16" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "prims" - "core_num_error" -> "prims" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "mkseq" - "bitveceq" -> "mkseq" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "lib_inttypes" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "prims" - "fstar_int_cast_full" -> "prims" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "core_slice" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "prims" - "rust_primitives_hax" -> "prims" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "prims" - "fstar_reflection_v2_formula" -> "prims" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_sealed" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "prims" - "fstar_tactics_unseal" -> "prims" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_int128" -> "fstar_int128" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "core" - "tactics_seq" -> "core" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "prims" - "tactics_seq" -> "prims" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_option" - "rust_primitives" -> "core_option" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "prims" - "rust_primitives" -> "prims" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_set" -> "fstar_set" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "prims" - "fstar_tactics_v1_logic" -> "prims" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_char" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_string" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "prims" - "fstar_class_printable" -> "prims" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "core" - "tactics_getbit" -> "core" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "prims" - "tactics_getbit" -> "prims" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "prims" - "tactics_machineints" -> "prims" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "prims" - "fstar_preorder" -> "prims" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "prims" - "fstar_reflection_const" -> "prims" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_stubs_reflection_types" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "prims" - "fstar_tactics_v2" -> "prims" - "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "prims" - "fstar_stubs_tactics_result" -> "prims" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "fstar_tactics_effect" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_range" -> "fstar_sealed" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "prims" - "fstar_range" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "fstar_uint32" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "prims" - "fstar_st" -> "prims" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_string" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "prims" - "bitvec_intrinsics" -> "prims" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "prims" - "fstar_char" -> "prims" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "fstar_int8" -> "fstar_int8" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tset" -> "fstar_tset" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "rust_primitives_hax_folds" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "core" - "tactics_folds" -> "core" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "prims" - "tactics_folds" -> "prims" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "prims" - "fstar_vconfig" -> "prims" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_vconfig" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "prims" - "fstar_reflection_v2_derived" -> "prims" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "prims" - "fstar_tactics" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "fstar_classical_sugar" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_stubs_reflection_types" -> "fstar_sealed" - "fstar_stubs_reflection_types" -> "fstar_range" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "prims" - "fstar_stubs_reflection_types" -> "prims" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1" -> "fstar_reflection_v1_compare" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_stubs_reflection_types" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "prims" - "fstar_tactics_v1" -> "prims" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "prims" - "fstar_list_tot" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "fstar_ghost" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "prims" - "fstar_bitvector" -> "prims" - "core" -> "core_ops" - "core" -> "core_ops" - "core" -> "core_iter" - "core" -> "core_num" - "core" -> "rust_primitives" - "core" -> "rust_primitives" - "core" -> "fstar_pervasives" - "core" -> "fstar_pervasives" - "core" -> "prims" - "core" -> "prims" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "prims" - "fstar_tactics_v2_logic" -> "prims" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_uint" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "fstar_uint8" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "prims" - "fstar_monotonic_pure" -> "prims" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "prims" - "core_ops_index" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "fstar_uint64" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "prims" - "fstar_float" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_int" -> "fstar_int" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "prims" - "fstar_list" -> "prims" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "prims" - "fstar_predicateextensionality" -> "prims" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_vconfig" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "prims" - "fstar_reflection_v1_derived" -> "prims" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "prims" - "fstar_reflection_v2_arith" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_sealed" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "fstar_reflection_termeq" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "prims" - "core_ops_range" -> "prims" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "prims" - "core_iter_traits_iterator" -> "prims" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "fstar_math_lemmas" - "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "prims" - "fstar_tactics_builtins" -> "prims" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_char" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "prims" - "fstar_string" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "prims" - "fstar_tactics_util" -> "prims" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "prims" - "core_slice_iter" -> "prims" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "prims" - "core_ops_control_flow" -> "prims" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_slice_iter" - "core_slice" -> "core_slice_iter" - "core_slice" -> "fstar_seq" - "core_slice" -> "fstar_seq" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "prims" - "core_slice" -> "prims" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "prims" - "fstar_all" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "prims" - "fstar_list_tot_properties" -> "prims" - "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "prims" - "fstar_stubs_syntax_syntax" -> "prims" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "prims" - "core_ops_arith" -> "prims" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "core_ops_range" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "prims" - "rust_primitives_hax_folds" -> "prims" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "fstar_reflection_v1" -> "fstar_reflection_v1_compare" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "prims" - "fstar_reflection_v1" -> "prims" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_bv" -> "fstar_bv" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "prims" - "fstar_list_tot_base" -> "prims" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "prims" - "fstar_math_lib" -> "prims" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "core_ops_arith" - "core_num" -> "core_num_error" - "core_num" -> "core_result" - "core_num" -> "core_result" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "lib_inttypes" - "core_num" -> "lib_inttypes" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint32" - "core_num" -> "fstar_uint32" - "core_num" -> "rust_primitives" - "core_num" -> "rust_primitives" - "core_num" -> "fstar_pervasives" - "core_num" -> "fstar_pervasives" - "core_num" -> "prims" - "core_num" -> "prims" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_int16" -> "fstar_int16" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "core" - "bitvec_utils" -> "core" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "prims" - "bitvec_utils" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "rust_primitives_integers" - "fstar_tactics_namedview" -> "fstar_range" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "prims" - "fstar_reflection_v2" -> "prims" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "prims" - "fstar_int_cast" -> "prims" - "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "prims" - "fstar_stubs_errors_msg" -> "prims" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_mapply" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_stubs_tactics_common" -> "fstar_range" - "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "fstar_seq_base" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_range" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_vconfig" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "prims" - "fstar_tactics_v2_derived" -> "prims" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "fstar_uint128" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "rust_primitives_arrays" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_calc" -> "fstar_range" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "bitvec_equality" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "prims" - "fstar_sealed" -> "prims" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "fstar_indefinitedescription" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "fstar_int64" -> "fstar_int64" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" - "fstar_pervasives_native" -> "prims" - "fstar_pervasives_native" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_stubs_pprint" -> "fstar_float" - "fstar_stubs_pprint" -> "fstar_char" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "prims" - "fstar_stubs_pprint" -> "prims" - "fstar_sealed_inhabited" -> "fstar_sealed" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "prims" - "fstar_sealed_inhabited" -> "prims" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "fstar_tactics_namedview" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "prims" - "fstar_heap" -> "prims" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "core" - "mkseq" -> "core" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "prims" - "mkseq" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "prims" - "bitvec_intrinsics_constants" -> "prims" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "prims" - "fstar_order" -> "prims" - "fstar_tactics_effect" -> "fstar_range" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "core_ops" -> "core_ops_index" - "core_ops" -> "core_ops_index" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "rust_primitives" - "core_ops" -> "rust_primitives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "prims" - "core_ops" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" - "core_result" -> "fstar_pervasives" - "core_result" -> "fstar_pervasives" - "core_result" -> "prims" - "core_result" -> "prims" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "fstar_monotonic_heap" - "fstar_tactics_smt" -> "fstar_vconfig" - "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "prims" - "fstar_tactics_smt" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "prims" - "core_iter_adapters_enumerate" -> "prims" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "prims" - "fstar_reflection_v1_formula" -> "prims" -} diff --git a/libcrux-intrinsics/Cargo.toml b/libcrux-intrinsics/Cargo.toml index 5cacc5bee..cdc0acc2b 100644 --- a/libcrux-intrinsics/Cargo.toml +++ b/libcrux-intrinsics/Cargo.toml @@ -11,7 +11,6 @@ description = "Libcrux intrinsics crate" exclude = ["/proofs"] [dependencies] -hax-lib.workspace = true [features] simd128 = [] diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti index d4014e6a8..a03c287ec 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst deleted file mode 100644 index 167d0b324..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ /dev/null @@ -1,1214 +0,0 @@ -module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" -open Core -open FStar.Mul - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_and_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_castsi128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_extracti128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_madd_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_slli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_srli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_movemask_epi8"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_packs_epi16"); disambiguator = 0 - } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_storeu_bytes_si128"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 16d93fb14..5ac496e48 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,301 +1,207 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val mm256_abs_epi32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_and_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec128 = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i +val mm256_andnot_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec256 = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i +val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) +val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi128_si256 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_ps (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_si128 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpeq_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi128_si256 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cvtepi16_epi32 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val mm256_extracti128_si256 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_inserti128_si256 (v_CONTROL: i32) (vector vector_i128: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i32 (input: t_Slice i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cvtepi16_epi32 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_madd_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i16 (input: t_Slice i16) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_mul_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i32 (input: t_Slice i32) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mul_epu32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_u8 (input: t_Slice u8) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mulhi_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec256_as_i16x16 lhs) - (vec256_as_i16x16 rhs)) +val mm256_or_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_packs_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute2x128_si256 (v_IMM8: i32) (a b: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permutevar8x32_epi32 (vector control: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_permutevar8x32_epi32} +val mm256_set1_epi32 (constant: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi64x (a: i64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set_epi16 + (input15 input14 input13 input12 input11 input10 input9 input8 input7 input6 input5 input4 input3 input2 input1 input0: + i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val mm256_set_epi64x (input3 input2 input1 input0: i64) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_epi8 + (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + i8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_m128i (hi lo: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_setzero_si256: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi8} +val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sign_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_shuffle_epi8} +val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi64 (v_LEFT: i32) (x: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_sllv_epi32} +val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector)) +val mm256_srli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi32 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi64 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi64 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) - : Prims.Pure (t_Slice i16) - Prims.l_True - (ensures - fun output_future -> - let output_future:t_Slice i16 = output_future in - (Core.Slice.impl__len #i16 output_future <: usize) =. - (Core.Slice.impl__len #i16 output <: usize)) +val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256) +val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: u8) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) +val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val mm256_sub_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) - -val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi64 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm_add_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -include BitVec.Intrinsics {mm_loadu_si128} - -val mm_mulhi_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 lhs) - (vec128_as_i16x8 rhs)) - -val mm_mullo_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -val mm_set1_epi16 (constant: i16) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) +val mm256_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_set_epi32 (input3 input2 input1 input0: i32) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sub_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_set_epi8} +val mm256_testz_si256 (lhs rhs: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_shuffle_epi8} +val mm256_unpackhi_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sllv_epi32 (vector counts: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpackhi_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpacklo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_storeu_bytes_si128} +val mm256_unpacklo_epi64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) +val mm256_xor_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128) - : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) +val mm_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sub_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) +val mm_movemask_epi8 (vector: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val vec256_blendv_epi32 (a b mask: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] +val mm_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} +val mm_packs_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} +val mm_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} +val mm_set_epi32 (input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit() +val mm_set_epi8 + (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] +val mm_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() +val mm_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} +val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} +val mm_storeu_bytes_si128 (output: t_Slice u8) (vector: u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64} +val mm_storeu_si128 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + +val mm_storeu_si128_i32 (output: t_Slice i32) (vector: u8) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} +val mm_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} +val vec256_blendv_epi32 (a b mask: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Makefile b/libcrux-intrinsics/proofs/fstar/extraction/Makefile deleted file mode 100644 index b4ce70a38..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-intrinsics/src/arm64_extract.rs b/libcrux-intrinsics/src/arm64_extract.rs index d41241275..e43abc8f4 100644 --- a/libcrux-intrinsics/src/arm64_extract.rs +++ b/libcrux-intrinsics/src/arm64_extract.rs @@ -3,23 +3,14 @@ #![allow(non_camel_case_types, unsafe_code, unused_variables)] -#[hax_lib::opaque_type] pub type _uint16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint8x16_t = u8; -#[hax_lib::opaque_type] pub type _uint16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint32x4_t = u8; -#[hax_lib::opaque_type] pub type _int32x4_t = u8; -#[hax_lib::opaque_type] pub type _uint64x2_t = u8; -#[hax_lib::opaque_type] pub type _int64x2_t = u8; #[inline(always)] diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index ce78d81e5..8afb4ab49 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -3,33 +3,7 @@ #![allow(unused_variables, non_camel_case_types)] -#[cfg(hax)] -#[derive(Clone, Copy)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec256} = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i -"# -)] -pub struct Vec256(u8); - -#[cfg(hax)] -#[derive(Copy, Clone)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec128} = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i -"# -)] -pub struct Vec128(u8); - -#[cfg(not(hax))] pub type Vec256 = u8; -#[cfg(not(hax))] pub type Vec128 = u8; pub type Vec256Float = u8; @@ -37,8 +11,6 @@ pub fn mm256_storeu_si256_u8(output: &mut [u8], vector: Vec256) { debug_assert_eq!(output.len(), 32); unimplemented!() } - -#[hax_lib::ensures(|()| future(output).len() == output.len())] pub fn mm256_storeu_si256_i16(output: &mut [i16], vector: Vec256) { debug_assert_eq!(output.len(), 16); unimplemented!() @@ -57,13 +29,11 @@ pub fn mm_storeu_si128_i32(output: &mut [i32], vector: Vec128) { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_storeu_bytes_si128}")] pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { debug_assert_eq!(output.len(), 16); unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_loadu_si128}")] pub fn mm_loadu_si128(input: &[u8]) -> Vec128 { debug_assert_eq!(input.len(), 16); unimplemented!() @@ -89,7 +59,6 @@ pub fn mm256_set_m128i(hi: Vec128, lo: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_set_epi8}")] pub fn mm_set_epi8( byte15: u8, byte14: u8, @@ -111,7 +80,6 @@ pub fn mm_set_epi8( unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi8}")] pub fn mm256_set_epi8( byte31: i8, byte30: i8, @@ -149,33 +117,9 @@ pub fn mm256_set_epi8( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.create (sz 16) $constant"))] -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] -"# -)] pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() -"# -)] pub fn mm256_set_epi16( input15: i16, input14: i16, @@ -197,8 +141,6 @@ pub fn mm256_set_epi16( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.create (sz 8) $constant"))] #[inline(always)] pub fn mm_set1_epi16(constant: i16) -> Vec128 { unimplemented!() @@ -213,8 +155,6 @@ pub fn mm256_set1_epi32(constant: i32) -> Vec256 { pub fn mm_set_epi32(input3: i32, input2: i32, input1: i32, input0: i32) -> Vec128 { unimplemented!() } - -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi32}")] #[inline(always)] pub fn mm256_set_epi32( input7: i32, @@ -229,27 +169,15 @@ pub fn mm256_set_epi32( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (+.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] +#[inline(always)] pub fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } - -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (-.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] -pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { - unimplemented!() -} - -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (+.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] +#[inline(always)] pub fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_madd_epi16 as ${mm256_madd_epi16}}" -)] +#[inline(always)] pub fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -258,12 +186,6 @@ pub fn mm256_add_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (-.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] -pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { - unimplemented!() -} - #[inline(always)] pub fn mm256_add_epi64(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -274,26 +196,21 @@ pub fn mm256_abs_epi32(a: Vec256) -> Vec256 { unimplemented!() } +pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} pub fn mm256_sub_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_mullo_epi16 as ${mm256_mullo_epi16}} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2))] = admit() -"# -)] +pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + pub fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mullo_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -326,9 +243,6 @@ pub fn mm256_movemask_ps(a: Vec256Float) -> i32 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mulhi_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -337,8 +251,6 @@ pub fn mm256_mullo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] pub fn mm256_mulhi_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -352,17 +264,6 @@ pub fn mm256_mul_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_and_si256 as ${mm256_and_si256}} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] -"# -)] #[inline(always)] pub fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -381,9 +282,6 @@ pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (vec256_as_i16x16 $vector)"))] pub fn mm256_srai_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -393,10 +291,6 @@ pub fn mm256_srai_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi16 as ${mm256_srli_epi16::<0>}}" -)] pub fn mm256_srli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -410,20 +304,11 @@ pub fn mm_srli_epi64(vector: Vec128) -> Vec128 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi64 as ${mm256_srli_epi64::<0>}}" -)] pub fn mm256_srli_epi64(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_slli_epi16 as ${mm256_slli_epi16::<0>}}" -)] pub fn mm256_slli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -434,11 +319,9 @@ pub fn mm256_slli_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_shuffle_epi8}")] pub fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_shuffle_epi8}")] pub fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } @@ -464,10 +347,6 @@ pub fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_castsi256_si128 as ${mm256_castsi256_si128}}" -)] pub fn mm256_castsi256_si128(vector: Vec256) -> Vec128 { unimplemented!() } @@ -479,10 +358,6 @@ pub fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_packs_epi16 as ${mm_packs_epi16}}" -)] pub fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -490,10 +365,6 @@ pub fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_extracti128_si256 as ${mm256_extracti128_si256::<0>}}" -)] pub fn mm256_extracti128_si256(vector: Vec256) -> Vec128 { debug_assert!(CONTROL == 0 || CONTROL == 1); unimplemented!() @@ -523,21 +394,17 @@ pub fn vec256_blendv_epi32(a: Vec256, b: Vec256, mask: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_movemask_epi8 as ${mm_movemask_epi8}}" -)] #[inline(always)] pub fn mm_movemask_epi8(vector: Vec128) -> i32 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_permutevar8x32_epi32}")] #[inline(always)] pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } +#[inline(always)] pub fn mm256_srlv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } @@ -549,9 +416,6 @@ pub fn mm256_srlv_epi64(vector: Vec256, counts: Vec256) -> Vec256 { pub fn mm_sllv_epi32(vector: Vec128, counts: Vec128) -> Vec128 { unimplemented!() } - -#[inline(always)] -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_sllv_epi32}")] pub fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 9c1d52fea..63ab2a72b 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -19,6 +19,7 @@ bench = false # so libtest doesn't eat the arguments to criterion libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [dev-dependencies] rand = { version = "0.8" } @@ -29,8 +30,8 @@ criterion = "0.5" pqcrypto-dilithium = { version = "0.5.0" } #, default-features = false [features] -simd128 = [] -simd256 = [] +simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] +simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] acvp = [] # expose internal API for ACVP testing [[bench]] @@ -48,3 +49,8 @@ harness = false [[bench]] name = "ml-dsa" harness = false + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = [ + 'cfg(hax)', +] } diff --git a/libcrux-ml-dsa/hax.py b/libcrux-ml-dsa/hax.py new file mode 100755 index 000000000..e8d2ba309 --- /dev/null +++ b/libcrux-ml-dsa/hax.py @@ -0,0 +1,172 @@ +#! /usr/bin/env python3 + +import os +import argparse +import subprocess +import sys + + +def shell(command, expect=0, cwd=None, env={}): + subprocess_stdout = subprocess.DEVNULL + + print("Env:", env) + print("Command: ", end="") + for i, word in enumerate(command): + if i == 4: + print("'{}' ".format(word), end="") + else: + print("{} ".format(word), end="") + + print("\nDirectory: {}".format(cwd)) + + os_env = os.environ + os_env.update(env) + + ret = subprocess.run(command, cwd=cwd, env=os_env) + if ret.returncode != expect: + raise Exception("Error {}. Expected {}.".format(ret, expect)) + + +class extractAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + # Extract platform interfaces + include_str = "+:** -**::x86::init::cpuid -**::x86::init::cpuid_count" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../sys/platform", + env=hax_env, + ) + + # Extract intrinsics interfaces + include_str = "+:**" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../libcrux-intrinsics", + env=hax_env, + ) + + # Extract ml-dsa + includes = [ + "+**", + "-libcrux_ml_dsa::hash_functions::portable::*", + "-libcrux_ml_dsa::hash_functions::simd256::*", + "-libcrux_ml_dsa::hash_functions::neon::*", + "+:libcrux_ml_dsa::hash_functions::*::*", + ] + include_str = " ".join(includes) + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "100", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd=".", + env=hax_env, + ) + return None + + +class proveAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + admit_env = {} + if args.admit: + admit_env = {"OTHERFLAGS": "--admit_smt_queries true"} + shell(["make", "-C", "proofs/fstar/extraction/"], env=admit_env) + return None + + +def parse_arguments(): + parser = argparse.ArgumentParser( + description="Libcrux prove script. " + + "Make sure to separate sub-command arguments with --." + ) + subparsers = parser.add_subparsers() + + extract_parser = subparsers.add_parser( + "extract", help="Extract the F* code for the proofs." + ) + extract_parser.add_argument("extract", nargs="*", action=extractAction) + + prover_parser = subparsers.add_parser( + "prove", + help=""" + Run F*. + + This typechecks the extracted code. + To lax-typecheck use --admit. + """, + ) + prover_parser.add_argument( + "--admit", + help="Admit all smt queries to lax typecheck.", + action="store_true", + ) + prover_parser.add_argument( + "prove", + nargs="*", + action=proveAction, + ) + + if len(sys.argv) == 1: + parser.print_help(sys.stderr) + sys.exit(1) + + return parser.parse_args() + + +def main(): + # Don't print unnecessary Python stack traces. + sys.tracebacklimit = 0 + parse_arguments() + + +if __name__ == "__main__": + main() diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst new file mode 100644 index 000000000..787aefa44 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -0,0 +1,544 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let vector_low:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ i -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i:usize = i in + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + ((vector_low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ j -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j:usize = j in + let low, high:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let vector_low:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_low + i + ({ + (vector_low.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_low.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + low + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let vector_high:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_high + i + ({ + (vector_high.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_high.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + high + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + vector_low, vector_high + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + Rust_primitives.Hax.Folds.fold_enumerated_slice (ring_element + .Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let t0_unit, t1_unit:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + i + ({ + (t0.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t0.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t0_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + ({ + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t1_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_SHIFT_BY + simd_unit + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out + +let use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (hint.[ i ] <: t_Slice i32) + in + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + ((result.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result j -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let j:usize = j in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + ({ + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((re_vector.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + result + +let vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + exceeds + (fun exceeds ring_element -> + let exceeds:bool = exceeds in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + exceeds || + (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound + <: + bool)) + in + exceeds + +let make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_DIMENSION + in + let true_hints:usize = sz 0 in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + (fun temp_0_ i -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ j -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let j:usize = j in + let one_hints_count, current_hint:(usize & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + hint_simd with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + current_hint + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let true_hints:usize = true_hints +! one_hints_count in + hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd + <: + t_Array i32 (sz 256)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti new file mode 100644 index 000000000..aa749b797 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -0,0 +1,73 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti new file mode 100644 index 000000000..6263c2610 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Constants +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 + +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 + +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 + +/// The length of `context` is serialized to a single `u8`. +let v_CONTEXT_MAX_LEN: usize = sz 255 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 + +let v_BITS_IN_UPPER_PART_OF_T: usize = + v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T + +/// Number of bytes of entropy required for key generation. +let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 + +let v_MASK_SEED_SIZE: usize = sz 64 + +let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64 + +let v_REJECTION_SAMPLE_BOUND_SIGN: usize = sz 814 + +let v_RING_ELEMENT_OF_T0S_SIZE: usize = + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_RING_ELEMENT_OF_T1S_SIZE: usize = + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_SEED_FOR_A_SIZE: usize = sz 32 + +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 + +let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 + +/// Number of bytes of entropy required for signing. +let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst new file mode 100644 index 000000000..8634dfbe9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -0,0 +1,170 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 128uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 192uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 6) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let (offset: usize):usize = sz 0 in + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + (fun temp_0_ ring_element -> + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (serialize #v_SIMDUnit v_RING_ELEMENT_SIZE ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_RING_ELEMENT_SIZE in + offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti new file mode 100644 index 000000000..0becaf037 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6 + +val serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst new file mode 100644 index 000000000..84a413aa5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -0,0 +1,243 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3) + | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_ETA + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 serialized v_RING_ELEMENT_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit v_ETA bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 3) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti new file mode 100644 index 000000000..199d62d48 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -0,0 +1,40 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4 + +val deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst new file mode 100644 index 000000000..470cf8ab6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -0,0 +1,194 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18) + | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 18) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | 19uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 20) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti new file mode 100644 index 000000000..c6b16420b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20 + +val deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst new file mode 100644 index 000000000..974a66ac7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -0,0 +1,348 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let commitment_hash, rest_of_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) v_COMMITMENT_HASH_SIZE + in + let signer_response_serialized, hint_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + rest_of_serialized + (v_GAMMA1_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun signer_response temp_1_ -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let _:usize = temp_1_ in + true) + signer_response + (fun signer_response i -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + i + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (signer_response_serialized.[ { + Core.Ops.Range.f_start = i *! v_GAMMA1_RING_ELEMENT_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_ROWS_IN_A + in + let previous_true_hints_seen:usize = sz 0 in + let i:usize = sz 0 in + let malformed_hint:bool = false in + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & + usize & + bool & + usize) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + (i <. v_ROWS_IN_A <: bool) && (~.malformed_hint <: bool)) + (hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + let current_true_hints_seen:usize = + cast (hint_serialized.[ v_MAX_ONES_IN_HINT +! i <: usize ] <: u8) <: usize + in + let malformed_hint:bool = + if + current_true_hints_seen <. previous_true_hints_seen || + previous_true_hints_seen >. v_MAX_ONES_IN_HINT + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let j:usize = previous_true_hints_seen in + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + (~.malformed_hint <: bool) && (j <. current_true_hints_seen <: bool)) + (hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + let malformed_hint:bool = + if + j >. previous_true_hints_seen && + (hint_serialized.[ j ] <: u8) <=. + (hint_serialized.[ j -! sz 1 <: usize ] <: u8) + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + if ~.malformed_hint + then + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (hint.[ i ] + <: + t_Array i32 (sz 256)) + (cast (hint_serialized.[ j ] <: u8) <: usize) + 1l + <: + t_Array i32 (sz 256)) + in + let j:usize = j +! sz 1 in + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) + else + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + in + if ~.malformed_hint + then + let previous_true_hints_seen:usize = current_true_hints_seen in + let i:usize = i +! sz 1 in + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) + else + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + in + let i:usize = previous_true_hints_seen in + let i, malformed_hint:(usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + (i <. v_MAX_ONES_IN_HINT <: bool) && (~.malformed_hint <: bool)) + (i, malformed_hint <: (usize & bool)) + (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + let malformed_hint:bool = + if (hint_serialized.[ i ] <: u8) <>. 0uy + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let i:usize = i +! sz 1 in + i, malformed_hint <: (usize & bool)) + in + if malformed_hint + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_MalformedHintError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Ok + ({ + Libcrux_ml_dsa.Types.f_commitment_hash + = + Core.Result.impl__unwrap #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #FStar.Tactics.Typeclasses.solve + commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Core.Array.t_TryFromSliceError); + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint + } + <: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError + +let impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + = + let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE in + let offset:usize = sz 0 in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (self.Libcrux_ml_dsa.Types.f_commitment_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_COMMITMENT_HASH_SIZE in + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun temp_0_ temp_1_ -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let _:usize = temp_1_ in + true) + (offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + (fun temp_0_ i -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let i:usize = i in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + (self.Libcrux_ml_dsa.Types.f_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_GAMMA1_RING_ELEMENT_SIZE in + offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + in + let true_hints_seen:usize = sz 0 in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ i -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let i:usize = i in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.Libcrux_ml_dsa.Types.f_hint.[ i ] + <: + t_Array i32 (sz 256)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let j, hint:(usize & i32) = temp_1_ in + if hint =. 1l <: bool + then + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + (offset +! true_hints_seen <: usize) + (cast (j <: usize) <: u8) + in + let true_hints_seen:usize = true_hints_seen +! sz 1 in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize) + else signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + ((offset +! v_MAX_ONES_IN_HINT <: usize) +! i <: usize) + (cast (true_hints_seen <: usize) <: u8) + in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti new file mode 100644 index 000000000..946d0fb21 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure + (Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNATURE_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst new file mode 100644 index 000000000..1394c5939 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -0,0 +1,328 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + = + let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_signing + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 64)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 64)) + #FStar.Tactics.Typeclasses.solve + verification_key_hash + <: + Core.Result.t_Result (t_Array u8 (sz 64)) Core.Array.t_TryFromSliceError), + s1_as_ntt, + s2_as_ntt, + t0_as_ntt + <: + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + +let generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_SIGNING_KEY_SIZE + in + let offset:usize = sz 0 in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_signing + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + verification_key + verification_key_hash + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (verification_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + signing_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti new file mode 100644 index 000000000..b8a8f2d90 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -0,0 +1,34 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst new file mode 100644 index 000000000..b1193d6cd --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -0,0 +1,180 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 13) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 + serialized + Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in + let serialized:t_Array u8 (sz 416) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 416)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti new file mode 100644 index 000000000..3969d9d7c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -0,0 +1,36 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst new file mode 100644 index 000000000..6a59315c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -0,0 +1,129 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 10) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.repeat 0uy (sz 320) in + let serialized:t_Array u8 (sz 320) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 320)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti new file mode 100644 index 000000000..f05c66a13 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -0,0 +1,26 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 320)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst new file mode 100644 index 000000000..94a614a45 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -0,0 +1,166 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun t1 temp_1_ -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let _:usize = temp_1_ in + true) + t1 + (fun t1 i -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit + (serialized_remaining.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + t1 + <: + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + +let generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_VERIFICATION_KEY_SIZE + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let _:usize = temp_1_ in + true) + verification_key_serialized + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + let offset:usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T1.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + verification_key_serialized) + in + verification_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti new file mode 100644 index 000000000..59e60a0ee --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti new file mode 100644 index 000000000..9ad6829f1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -0,0 +1,281 @@ +module Libcrux_ml_dsa.Hash_functions.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val t_Shake128x4:Type0 + +/// Neon SHAKE 256 x4 state +val t_Shake256x4:Type0 + +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128x4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out5: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti new file mode 100644 index 000000000..c1b251529 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -0,0 +1,374 @@ +module Libcrux_ml_dsa.Hash_functions.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Portable SHAKE 128 state +val t_Shake128:Type0 + +/// Portable SHAKE 128 x4 state. +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake128X4:Type0 + +/// Portable SHAKE 256 state +val t_Shake256:Type0 + +/// Portable SHAKE 256 x4 state. +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake256X4:Type0 + +val t_Shake256Absorb:Type0 + +val t_Shake256Squeeze:Type0 + +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) + +val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = + { + f_shake128_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake128_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake128 + = + fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = shake128 v_OUTPUT_LENGTH input out in + out + } + +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb_final (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Squeeze Prims.l_True (fun _ -> Prims.l_True) + +val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8) + : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128X4) + : Prims.Pure + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128X4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128X4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128X4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128X4) + (out5: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128X4) -> + let tmp0, out4:(t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = shake256 v_OUTPUT_LENGTH input out in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + +val squeeze_next_block_x4 (state: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256X4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256X4) + (out5: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256X4) -> + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256X4) + (out5: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256X4) -> + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let out0:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input0 out0 in + let out1:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input1 out1 in + let out2:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input2 out2 in + let out3:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input3 out3 in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti new file mode 100644 index 000000000..aa229c844 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -0,0 +1,72 @@ +module Libcrux_ml_dsa.Hash_functions.Shake128 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake128_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake128_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) +} + +/// When sampling matrix A we always want to do 4 absorb/squeeze calls in +/// parallel. +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_five_blocks_pre: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) + -> Type0; + f_squeeze_first_five_blocks_post: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + -> Type0; + f_squeeze_first_five_blocks: + x0: v_Self -> + x1: t_Array u8 (sz 840) -> + x2: t_Array u8 (sz 840) -> + x3: t_Array u8 (sz 840) -> + x4: t_Array u8 (sz 840) + -> Prims.Pure + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) + (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = sz 168 + +let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti new file mode 100644 index 000000000..bd150aa95 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_dsa.Hash_functions.Shake256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake256_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake256:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake256_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); + f_init_absorb_pre:t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 + -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb_x4:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_x4_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_x4_post x0 x1 x2 x3 result); + f_squeeze_first_block_x4_pre:v_Self -> Type0; + f_squeeze_first_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_first_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_first_block_x4_pre x0) + (fun result -> f_squeeze_first_block_x4_post x0 result); + f_squeeze_next_block_x4_pre:v_Self -> Type0; + f_squeeze_next_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_next_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_next_block_x4_pre x0) + (fun result -> f_squeeze_next_block_x4_post x0 result); + f_shake256_x4_pre: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN + -> Type0; + f_shake256_x4_post: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + -> Type0; + f_shake256_x4: + v_OUT_LEN: usize -> + x0: t_Slice u8 -> + x1: t_Slice u8 -> + x2: t_Slice u8 -> + x3: t_Slice u8 -> + x4: t_Array u8 v_OUT_LEN -> + x5: t_Array u8 v_OUT_LEN -> + x6: t_Array u8 v_OUT_LEN -> + x7: t_Array u8 v_OUT_LEN + -> Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + (f_shake256_x4_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) + (fun result -> f_shake256_x4_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result) +} + +let v_BLOCK_SIZE: usize = sz 136 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti new file mode 100644 index 000000000..97db532b4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -0,0 +1,348 @@ +module Libcrux_ml_dsa.Hash_functions.Simd256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// AVX2 SHAKE 128 state +/// This only implements the XofX4 API. For the single Xof, the portable +/// version is used. +val t_Shake128x4:Type0 + +/// AVX2 SHAKE 256 x4 state. +val t_Shake256x4:Type0 + +/// AVX2 SHAKE 256 state +val t_Shake256:Type0 + +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128x4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out5: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let hax_temp_output, out:(Prims.unit & t_Array u8 v_OUTPUT_LENGTH) = + (), shake256 v_OUTPUT_LENGTH input out <: (Prims.unit & t_Array u8 v_OUTPUT_LENGTH) + in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + +val squeeze_next_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst new file mode 100644 index 000000000..0f4339ffb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -0,0 +1,473 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_enumerated_slice (vector + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i, vector_ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + vector_ring_element + ring_element + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (signer_response.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit + 13l + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + verifier_challenge_as_ntt + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + challenge_times_t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti new file mode 100644 index 000000000..7db4128e6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -0,0 +1,90 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŷ) +val compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ +val compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +val compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst new file mode 100644 index 000000000..e68b8fe9b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti new file mode 100644 index 000000000..2cc5f13c7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst new file mode 100644 index 000000000..f27fbeff4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti new file mode 100644 index 000000000..58227663f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst new file mode 100644 index 000000000..b28affb1d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) + 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) + (sz 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti new file mode 100644 index 000000000..1e6653b8a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst new file mode 100644 index 000000000..4eff956f5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) + (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti new file mode 100644 index 000000000..a677e8e9a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 32 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 17 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l + +let v_MAX_ONES_IN_HINT: usize = sz 80 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 4 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 44 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA44KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 44 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA44Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA44Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst new file mode 100644 index 000000000..4dcf80489 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti new file mode 100644 index 000000000..bfcb87df8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst new file mode 100644 index 000000000..b54a04df2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti new file mode 100644 index 000000000..ff39c5e48 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst new file mode 100644 index 000000000..eaf1e627f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) + (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) + (sz 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti new file mode 100644 index 000000000..7568a9a1c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst new file mode 100644 index 000000000..d75500055 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l + (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) + (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti new file mode 100644 index 000000000..47735a500 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_COMMITMENT_HASH_SIZE: usize = sz 48 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 4 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 55 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 6 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 65 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA65KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 65 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA65Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA65Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst new file mode 100644 index 000000000..27eb5b514 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti new file mode 100644 index 000000000..2b2ba04ee --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst new file mode 100644 index 000000000..e89d61679 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti new file mode 100644 index 000000000..499342491 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst new file mode 100644 index 000000000..8ff301da4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) + (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) + (sz 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti new file mode 100644 index 000000000..5825b758b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst new file mode 100644 index 000000000..7628dbe10 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l + (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) + (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti new file mode 100644 index 000000000..f5eb82a25 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 75 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 8 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 87 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA87KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 87 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA87Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA87Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst new file mode 100644 index 000000000..db410963c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -0,0 +1,97 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti new file mode 100644 index 000000000..f5492bbb9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst new file mode 100644 index 000000000..42e4c6671 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti new file mode 100644 index 000000000..3763fcb0a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -0,0 +1,67 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst new file mode 100644 index 000000000..9e12c192d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -0,0 +1,98 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) + v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti new file mode 100644 index 000000000..93c40dc34 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -0,0 +1,79 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst new file mode 100644 index 000000000..3ed0bdc8f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -0,0 +1,97 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti new file mode 100644 index 000000000..1e4399d64 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst new file mode 100644 index 000000000..69d507f61 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -0,0 +1,163 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + message context randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message context randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message context randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message context signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message context signature_serialized + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti new file mode 100644 index 000000000..c617ed3c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst new file mode 100644 index 000000000..878dd2cb5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -0,0 +1,958 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let derive_message_representative + (verification_key_hash: t_Array u8 (sz 64)) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (message: t_Slice u8) + (message_representative: t_Array u8 (sz 64)) + = + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (verification_key_hash <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + match domain_separation_context with + | Core.Option.Option_Some domain_separation_context -> + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + ((let list = + [ + cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) + (Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + bool) + <: + u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + ((let list = + [ + cast (Core.Slice.impl__len #u8 + (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context + <: + t_Slice u8) + <: + usize) + <: + u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) + in + (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with + | Core.Option.Option_Some pre_hash_oid -> + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (pre_hash_oid <: t_Slice u8) + | _ -> shake) + | _ -> shake + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake message + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake message_representative + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let message_representative:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + message_representative + +let sign_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array + u8 (sz 32) & + t_Array u8 (sz 32) & + t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Signing_key.deserialize_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + signing_key + in + let v_A_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) + <: + t_Array u8 (sz 34)) + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + derive_message_representative verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (seed_for_signing <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake mask_seed + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let v_BETA:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let tmp0, out:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + v_COLUMNS_IN_A + v_GAMMA1_EXPONENT + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) (mask_seed <: t_Slice u8) + <: + t_Array u8 (sz 66)) + domain_separator_for_mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + out + in + let v_A_times_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_A_times_mask #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_A_as_ntt + mask + in + let w0, commitment:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + v_ROWS_IN_A + v_GAMMA2 + v_A_times_mask + in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE + in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_ROWS_IN_A + v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE + commitment + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (message_representative <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & + t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash_candidate + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + v_ONES_IN_VERIFIER_CHALLENGE + v_COMMITMENT_HASH_SIZE + commitment_hash_candidate + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_COLUMNS_IN_A + s1_as_ntt + verifier_challenge_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_ROWS_IN_A + s2_as_ntt + verifier_challenge_as_ntt + in + let signer_response_candidate:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit v_COLUMNS_IN_A mask challenge_times_s1 + in + let w0_minus_challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit v_ROWS_IN_A w0 challenge_times_s2 + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signer_response_candidate + ((1l <. v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A)) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) = + Core.Option.Option_Some signer_response_candidate + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A))) + in + match + match commitment_hash with + | Core.Option.Option_Some commitment_hash -> + Core.Result.Result_Ok commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok commitment_hash -> + (match + match signer_response with + | Core.Option.Option_Some signer_response -> + Core.Result.Result_Ok signer_response + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok signer_response -> + (match + match hint with + | Core.Option.Option_Some hint -> + Core.Result.Result_Ok hint + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok hint -> + let signature:t_Array u8 v_SIGNATURE_SIZE = + Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + ({ + Libcrux_ml_dsa.Types.f_commitment_hash = commitment_hash; + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint + } + <: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + in + Core.Result.Result_Ok + (Libcrux_ml_dsa.Types.MLDSASignature signature + <: + Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist36 -> + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + message + (Core.Option.Option_Some hoist36 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + else + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist39 -> + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some hoist39 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let verify_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let seed_for_A, t1:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + verification_key_serialized + in + match + Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + signature_serialized + with + | Core.Result.Result_Ok signature -> + if + ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signature.Libcrux_ml_dsa.Types.f_signer_response + ((2l <. commitment_hash + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist41 -> + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message + (Core.Option.Option_Some hoist41 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist43 -> + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized + (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some hoist43 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + = + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake seed_expanded + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) + in + let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + v_ETA + v_COLUMNS_IN_A + v_ROWS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) seed_for_error_vectors <: t_Array u8 (sz 66)) + in + let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + seed_for_a + t1 + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing + (verification_key_serialized <: t_Slice u8) s1 s2 t0 + in + signing_key_serialized, verification_key_serialized + <: + (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti new file mode 100644 index 000000000..abf9c8d7c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -0,0 +1,167 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm +/// 8, resp.). +/// If `domain_separation_context` is supplied, applies domain +/// separation and length encoding to the context string, +/// before appending the message (in the regular variant) or the +/// pre-hash OID as well as the pre-hashed message digest. Otherwise, +/// it is assumed that `message` already contains domain separation +/// information. +/// In FIPS 204 M' is the concatenation of the domain separated context, any +/// potential pre-hash OID and the message (or the message pre-hash). We do not +/// explicitely construct the concatenation in memory since it is of statically unknown +/// length, but feed its components directly into the incremental XOF. +/// Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS +/// 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) +/// for details on the domain separation for regular ML-DSA. Line +/// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA +/// variant. +val derive_message_representative + (verification_key_hash: t_Array u8 (sz 64)) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (message: t_Slice u8) + (message_representative: t_Array u8 (sz 64)) + : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal signing API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val sign_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate a key pair. +val generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst new file mode 100644 index 000000000..25a5d7d91 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -0,0 +1,796 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let invert_ntt_at_layer_0___round + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + index + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 0) 1976782l (-846154l) 1400424l 3937738l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 2) (-3545687l) 1612842l (-976891l) 183443l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 3) + (-2286327l) + (-420899l) + (-2235985l) + (-2939036l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 4) + (-3833893l) + (-260646l) + (-1104333l) + (-1667432l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 6) 472078l 1717735l (-975884l) 2213111l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 7) 269760l 3866901l 3523897l (-3038916l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 9) 3014001l 1616392l 162844l (-3183426l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 10) (-1207385l) 185531l 3369112l 1957272l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 13) + (-1846953l) + (-1671176l) + (-2831860l) + (-542412l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 14) 3406031l 2235880l 777191l 1500165l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 15) + (-1374803l) + (-2546312l) + 1917081l + (-1279661l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 17) + (-1430225l) + (-3318210l) + 1237275l + (-1333058l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 20) 1595974l 2486353l 1247620l 4055324l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 21) 1265009l (-2590150l) 2691481l 2842341l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 22) 203044l 1735879l (-3342277l) 3437287l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 23) 4108315l (-2437823l) 286988l 342297l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 24) + (-3595838l) + (-768622l) + (-525098l) + (-3556995l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 27) 819034l 909542l 1859098l 900702l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 28) + (-3193378l) + (-1197226l) + (-3759364l) + (-3520352l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 29) 3513181l (-1235728l) 2434439l 266997l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 30) + (-3562462l) + (-2446433l) + 2244091l + (-3342478l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 31) 3817976l 2316500l 3407706l 2091667l + in + re + +let invert_ntt_at_layer_1___round + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_: i32) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + index + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta_0_ + zeta_1_ + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 0) 3839961l (-3628969l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 1) (-3881060l) (-3019102l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 2) (-1439742l) (-812732l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 3) (-1584928l) 1285669l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 4) 1341330l 1315589l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 5) (-177440l) (-2409325l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 6) (-1851402l) 3159746l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 7) (-3553272l) 189548l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 8) (-1316856l) 759969l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 9) (-210977l) 2389356l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 10) (-3249728l) 1653064l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 11) (-8578l) (-3724342l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 12) 3958618l 904516l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 13) (-1100098l) 44288l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 14) 3097992l 508951l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 15) 264944l (-3343383l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 16) (-1430430l) 1852771l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 17) 1349076l (-381987l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 18) (-1308169l) (-22981l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 19) (-1228525l) (-671102l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 20) (-2477047l) (-411027l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 21) (-3693493l) (-2967645l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 22) 2715295l 2147896l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 23) (-983419l) 3412210l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 24) 126922l (-3632928l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 25) (-3157330l) (-3190144l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 26) (-1000202l) (-4083598l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 27) 1939314l (-1257611l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 28) (-1585221l) 2176455l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 29) 3475950l (-1452451l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 30) (-3041255l) (-3677745l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 31) (-1528703l) (-3930395l) + in + re + +let invert_ntt_at_layer_2___round + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta: i32) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + index + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 0) (-2797779l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 1) 2071892l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 2) (-2556880l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 3) 3900724l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 4) 3881043l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 5) 954230l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 6) 531354l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 7) 811944l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 8) 3699596l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 9) (-1600420l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 10) (-2140649l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 11) 3507263l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 12) (-3821735l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 13) 3505694l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 14) (-1643818l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 15) (-1699267l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 16) (-539299l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 17) 2348700l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 18) (-300467l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 19) 3539968l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 20) (-2867647l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 21) 3574422l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 22) (-3043716l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 23) (-3861115l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 24) 3915439l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 25) (-2537516l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 26) (-3592148l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 27) (-1661693l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 28) 3530437l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 29) 3077325l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 30) 95776l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 31) 2706023l + in + re + +let ntt + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + { + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + re.Libcrux_ml_dsa.Polynomial.f_simd_units + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + +let outer_3_plus + (#v_SIMDUnit: Type0) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let a_minus_b:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] + <: + v_SIMDUnit) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit a_minus_b v_ZETA + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let invert_ntt_at_layer_3_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 1) 280005l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 2) (sz 1) 4010497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 1) (-19422l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 6) (sz 1) 1757237l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 1) (-3277672l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 10) (sz 1) (-1399561l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 1) (-3859737l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 14) (sz 1) (-2118186l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 1) (-2108549l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 18) (sz 1) 2619752l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 1) (-1119584l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 22) (sz 1) (-549488l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 1) 3585928l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 26) (sz 1) (-1079900l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 1) 1024112l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 30) (sz 1) 2725464l re + in + re + +let invert_ntt_at_layer_4_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 2) 2680103l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 2) 3111497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 2) (-2884855l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 2) 3119733l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 2) (-2091905l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 2) (-359251l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 2) 2353451l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 2) 1826347l re + in + re + +let invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 4) 466468l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 4) (-876248l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 4) (-777960l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 4) 237124l re + in + re + +let invert_ntt_at_layer_6_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 8) (-518909l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 8) (-2608894l) re + in + re + +let invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 16) 25847l re + in + re + +let invert_ntt_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_3_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_4_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_5_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_6_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_7_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let i:usize = i in + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply_by_constant #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + 41978l + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + re + +let ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (out.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti new file mode 100644 index 000000000..15b336a66 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -0,0 +1,158 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let invert_ntt_at_layer_3___STEP: usize = sz 8 + +let invert_ntt_at_layer_3___STEP_BY: usize = sz 1 + +let invert_ntt_at_layer_4___STEP: usize = sz 16 + +let invert_ntt_at_layer_4___STEP_BY: usize = sz 2 + +let invert_ntt_at_layer_5___STEP: usize = sz 32 + +let invert_ntt_at_layer_5___STEP_BY: usize = sz 4 + +let invert_ntt_at_layer_6___STEP: usize = sz 64 + +let invert_ntt_at_layer_6___STEP_BY: usize = sz 8 + +let invert_ntt_at_layer_7___STEP: usize = sz 128 + +let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 + +val invert_ntt_at_layer_0___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val outer_3_plus + (#v_SIMDUnit: Type0) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_6_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst new file mode 100644 index 000000000..d92cb4d77 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -0,0 +1,258 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit + (sz 32)) + #FStar.Tactics.Typeclasses.solve + self.f_simd_units + <: + Core.Array.Iter.t_IntoIter v_SIMDUnit (sz 32)) + exceeds + (fun exceeds simd_unit -> + let exceeds:bool = exceeds in + let simd_unit:v_SIMDUnit = simd_unit in + exceeds || + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + bound + <: + bool)) + in + exceeds + +let impl__ZERO + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_ZERO #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + v_SIMDUnit) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +let impl__from_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (array: t_Slice i32) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #i32 array <: usize) >=. sz 256 <: bool) + in + () + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = + Core.Slice.impl__chunks #i32 array Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT + (fun temp_0_ temp_1_ -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (array_chunks, result <: (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ i -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks i32 & Core.Option.t_Option (t_Slice i32)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks i32) + #FStar.Tactics.Typeclasses.solve + array_chunks + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = tmp0 in + array_chunks, + ({ + result with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice i32) out <: t_Slice i32) + <: + v_SIMDUnit) + } + <: + t_PolynomialRingElement v_SIMDUnit) + <: + (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + in + result + +let impl__add + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let sum:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun sum temp_1_ -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let i:usize = i in + { + sum with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + sum + +let impl__subtract + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let difference:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (difference.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun difference temp_1_ -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let i:usize = i in + { + difference with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + difference + +let impl__to_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range result + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #i32 + (result.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice i32) + <: + t_Slice i32) + <: + t_Array i32 (sz 256)) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti new file mode 100644 index 000000000..918eb2620 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -0,0 +1,51 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +type t_PolynomialRingElement + (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { f_simd_units:t_Array v_SIMDUnit (sz 32) } + +val impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val impl__ZERO: + #v_SIMDUnit: Type0 -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__from_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (array: t_Slice i32) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__add + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__subtract + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__to_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst new file mode 100644 index 000000000..c8f3084d4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +let impl_1__context (self: t_DomainSeparationContext) = self.f_context + +let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid + +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + +let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = + match x with | DomainSeparationError_ContextTooLongError -> isz 0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti new file mode 100644 index 000000000..2e097f642 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -0,0 +1,113 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +/// Binds the context string to an optional pre-hash OID identifying +/// the hash function or XOF used for pre-hashing. +type t_DomainSeparationContext = { + f_context:t_Slice u8; + f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11)) +} + +/// Returns the context, guaranteed to be at most 255 bytes long. +val impl_1__context (self: t_DomainSeparationContext) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Returns the pre-hash OID, if any. +val impl_1__pre_hash_oid (self: t_DomainSeparationContext) + : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True) + +type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError + +/// `context` must be at most 255 bytes long. +val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) + : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { + f_oid_pre:Prims.unit -> Type0; + f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; + f_oid:x0: Prims.unit + -> Prims.Pure (t_Array u8 (sz 11)) (f_oid_pre x0) (fun result -> f_oid_post x0 result); + f_hash_pre:t_Slice u8 -> Type0; + f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0; + f_hash:x0: t_Slice u8 + -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result) +} + +/// An implementation of the pre-hash trait for the SHAKE-128 XOF with +/// digest length 256 bytes. +type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH + +let v_PRE_HASH_OID_LEN: usize = sz 11 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: t_PreHash t_SHAKE128_PH (sz 256) = + { + f_oid_pre = (fun (_: Prims.unit) -> true); + f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); + f_oid + = + (fun (_: Prims.unit) -> + let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); + Rust_primitives.Hax.array_of_list 11 list); + f_hash_pre = (fun (message: t_Slice u8) -> true); + f_hash_post = (fun (message: t_Slice u8) (out: t_Array u8 (sz 256)) -> true); + f_hash + = + fun (message: t_Slice u8) -> + let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let output:t_Array u8 (sz 256) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #FStar.Tactics.Typeclasses.solve + (sz 256) + message + output + in + output + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst new file mode 100644 index 000000000..f2d7ff6c7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -0,0 +1,1286 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) = + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let hax_temp_output:t_Array u8 (sz 66) = seed in + domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66)) + +let rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + = + let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | 4uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | _ -> + (out, sampled <: (t_Array i32 (sz 263) & usize)), + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + <: + ((t_Array i32 (sz 263) & usize) & bool) + in + sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_field_modulus #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + = + let done:bool = false in + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + (fun temp_0_ byte -> + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + temp_0_ + in + let byte:u8 = byte in + if ~.done <: bool + then + let sample_at:usize = cast (byte <: u8) <: usize in + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = + if sample_at <=. out_index + then + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + out_index + (result.[ sample_at ] <: i32) + in + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + sample_at + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) + in + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + in + let done:bool = + out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) + in + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + in + let hax_temp_output:bool = done in + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) + +let sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES v_SEED_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 v_SEED_SIZE) + = + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed <: t_Slice u8) + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let signs:u64 = + Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + <: + t_Array u8 (sz 8)) + in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let out_index:usize = + (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! v_NUMBER_OF_ONES + in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + out_index + signs + result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) + = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + ~.done <: bool) + (done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness <: t_Slice u8) out_index signs result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) + +let sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 66) = seed_base in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 64) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 65) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = seed0 in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 64) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 65) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = seed0 in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 64) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 65) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = seed0 in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 64) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 65) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let out0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) sampled0 out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) sampled1 out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) sampled2 out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) sampled3 out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + let + done0, done1, done2, done3, out0, out1, out2, out3, sampled0, sampled1, sampled2, sampled3, state:( + bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let done0, out0, sampled0:(bool & t_Array i32 (sz 263) & usize) = + if ~.done0 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._1 <: t_Slice u8) + sampled0 + out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + else done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + in + let done1, out1, sampled1:(bool & t_Array i32 (sz 263) & usize) = + if ~.done1 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._2 <: t_Slice u8) + sampled1 + out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + else done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + in + let done2, out2, sampled2:(bool & t_Array i32 (sz 263) & usize) = + if ~.done2 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._3 <: t_Slice u8) + sampled2 + out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + else done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + in + if ~.done3 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._4 <: t_Slice u8) + sampled3 + out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) + else + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 32) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 33) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = seed0 in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 32) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 33) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = seed0 in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 32) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 33) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = seed0 in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 32) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 33) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake128 = + Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + randomness0 + randomness1 + randomness2 + randomness3 + in + let state:v_Shake128 = tmp0 in + let randomness0:t_Array u8 (sz 840) = tmp1 in + let randomness1:t_Array u8 (sz 840) = tmp2 in + let randomness2:t_Array u8 (sz 840) = tmp3 in + let randomness3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness0 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness1 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness2 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness3 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + let tmp0, out:(v_Shake128 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake128 = tmp0 in + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out + in + let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) = + if ~.done0 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._1 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) = + if ~.done1 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._2 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) = + if ~.done2 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._3 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + in + if ~.done3 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._4 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) + else + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 (sz 66)) + = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 576) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 640) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + = + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((v_DIMENSION =. sz 4 <: bool) || (v_DIMENSION =. sz 5 <: bool) || + (v_DIMENSION =. sz 7 <: bool)) + in + () + in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed0:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed1:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed2:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed3:t_Array u8 (sz 66) = out4 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) & + t_Array u8 (sz 576)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 576) = tmp0 in + let out1:t_Array u8 (sz 576) = tmp1 in + let out2:t_Array u8 (sz 576) = tmp2 in + let out3:t_Array u8 (sz 576) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | 19uy -> + let out0:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out1:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out2:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out3:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640) & + t_Array u8 (sz 640)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 640) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 640) = tmp0 in + let out1:t_Array u8 (sz 640) = tmp1 in + let out2:t_Array u8 (sz 640) = tmp2 in + let out3:t_Array u8 (sz 640) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | _ -> mask + in + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + Rust_primitives.Hax.Folds.fold_range (sz 4) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + (fun temp_0_ i -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let i:usize = i in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + i + (sample_mask_ring_element #v_SIMDUnit #v_Shake256 v_GAMMA1_EXPONENT seed + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + in + let hax_temp_output:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + mask + in + domain_separator, hax_temp_output + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti new file mode 100644 index 000000000..a742ab51f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) + : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES v_SEED_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 v_SEED_SIZE) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256 |} + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + : Prims.Pure + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst new file mode 100644 index 000000000..ac648b477 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -0,0 +1,1295 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_domain_separator (row column: u8) = + (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._4 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 5) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 6) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 12us + 13us + 14us + 15us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 6) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 7) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + = + match + (cast (v_S1_DIMENSION <: usize) <: u8), (cast (v_S2_DIMENSION <: usize) <: u8) <: (u8 & u8) + with + | 4uy, 4uy -> + sample_s1_and_s2_4_by_4_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 5uy, 6uy -> + sample_s1_and_s2_5_by_6_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 7uy, 8uy -> + sample_s1_and_s2_7_by_8_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti new file mode 100644 index 000000000..a914aec27 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -0,0 +1,121 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_domain_separator (row column: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) + +val update_matrix + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (m: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (i j: usize) + (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_4_by_4_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_6_by_5_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_8_by_7_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst new file mode 100644 index 000000000..6c88f5ff3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -0,0 +1,267 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs + +let compute_hint (v_GAMMA2: i32) (low high: u8) = + let gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 in + let minus_gamma2:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) + in + let low_within_bound:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 + low + <: + u8) + gamma2 + in + let low_equals_minus_gamma2:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2 + in + let low_equals_minus_gamma2_and_high_is_nonzero:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high + in + let hints:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound + low_equals_minus_gamma2_and_high_is_nonzero + in + let hints_mask:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + hints + <: + u8) + in + (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: u8) + <: + (usize & u8) + +let infinity_norm_exceeds (simd_unit: u8) (bound: i32) = + let absolute_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit in + let bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) in + let compare_with_bound:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound + in + let result:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound + in + if result =. 1l then false else true + +let subtract (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + +let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) = + let shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit in + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l <: u8) + in + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l <: u8) + in + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA <: u8) + in + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in + let field_modulus_and_mask:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + u8) + in + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask in + r0, r1 <: (u8 & u8) + +let use_hint (v_GAMMA2: i32) (r hint: u8) = + let r0, r1:(u8 & u8) = decompose v_GAMMA2 r in + let all_zeros:u8 = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints in + let hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints in + let r1_plus_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints in + match v_GAMMA2 with + | 95232l -> + let max:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in + let r1_plus_hints:u8 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints + in + let greater_than_or_equal_to_max:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max + in + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints + all_zeros + greater_than_or_equal_to_max + | 261888l -> + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: u8) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti new file mode 100644 index 000000000..e11e02fab --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val compute_hint (v_GAMMA2: i32) (low high: u8) + : Prims.Pure (usize & u8) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: u8) (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val subtract (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val to_unsigned_representatives (t: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant (lhs: u8) (constant: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val decompose (v_GAMMA2: i32) (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val use_hint (v_GAMMA2: i32) (r hint: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst new file mode 100644 index 000000000..fba456933 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy + 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy + <: + u8) + in + let serialized:t_Array u8 (sz 19) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + adjacent_4_combined + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + | 6uy -> + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y + <: + u8) + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti new file mode 100644 index 000000000..74c8d9c15 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti @@ -0,0 +1,7 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst new file mode 100644 index 000000000..be78d6aba --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -0,0 +1,229 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool) + in + () + in + let bytes_in_simd_unit:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) + (cast (bytes.[ sz 2 ] <: u8) <: i32) + (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized + | 4uy -> deserialize_to_unsigned_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + let unsigned:u8 = deserialize_to_unsigned v_ETA serialized in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ( + cast (v_ETA <: usize) <: i32) + <: + u8) + unsigned + +let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_eta_is_2___ETA + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 29l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y + <: + u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 0s 0s 0s 0s 0s 0s (1s < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti new file mode 100644 index 000000000..45782f6dc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -0,0 +1,33 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst new file mode 100644 index 000000000..929fa141e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -0,0 +1,291 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let serialized_lower:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = sz 18 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y + 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK + + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1 + + <: + u8) + coefficients + +let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) + in + () + in + let serialized_lower:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 20 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y + 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK + + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1 + + <: + u8) + coefficients + +let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_17___GAMMA1 + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined + in + let every_second_element:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined + in + let every_second_element_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L <: u8) + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 25 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 9; + Core.Ops.Range.f_end = sz 25 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_19___GAMMA1 + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y + 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y + 0y + <: + u8) + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 26 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti new file mode 100644 index 000000000..655c1c899 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -0,0 +1,36 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst new file mode 100644 index 000000000..f60e7085a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -0,0 +1,112 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let change_interval (simd_unit: u8) = + let interval_end:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let serialized_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8) + in + let serialized:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) + (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y + 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8) + in + change_interval coefficients + +let serialize (simd_unit: u8) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit:u8 = change_interval simd_unit in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 19l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 6l adjacent_4_combined + in + let second_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_4_combined + in + let least_12_bits_shifted_up:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 52l second_4_combined + in + let bits_sequential:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_4_combined least_12_bits_shifted_up + in + let bits_sequential:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 bits_sequential + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L <: u8) + in + let bits_sequential:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential in + let serialized:t_Array u8 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential + in + Core.Result.impl__unwrap #(t_Array u8 (sz 13)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 13)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 13)) Core.Array.t_TryFromSliceError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti new file mode 100644 index 000000000..a8bc01c8f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val change_interval (simd_unit: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst new file mode 100644 index 000000000..c2206218a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -0,0 +1,120 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (simd_unit: u8) = + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 5; + Core.Ops.Range.f_end = sz 21 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 10)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 10)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) + +let deserialize (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 bytes, sz 10 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let bytes_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let bytes_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range bytes_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (bytes_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + bytes + <: + t_Slice u8) + in + let bytes_loaded:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes_extended <: t_Slice u8) + in + let bytes_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y) + (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y) + (-1y) 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti new file mode 100644 index 000000000..7999a014d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -0,0 +1,10 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst new file mode 100644 index 000000000..72db9fe4d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -0,0 +1,717 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let ntt_at_layer_7_and_6___mul + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: u8) + (step_by: usize) + (field_modulus inverse_of_modulus_mod_montgomery_r: u8) + = + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ] <: u8) zeta + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ index +! step_by <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] <: u8) t <: u8) + in + re + +let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = + let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in + let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled in + let zeta_multiplicands:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled + in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3 + zeta_b2 + zeta_a3 + zeta_a2 + zeta_b1 + zeta_b0 + zeta_a1 + zeta_a0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_terms_shuffled:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + in + let b_terms_shuffled:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled in + a_out, b_out <: (u8 & u8) + +let butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) = + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 + zeta_b1 + zeta_a1 + zeta_a1 + zeta_b0 + zeta_b0 + zeta_a0 + zeta_a0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in + a_out, b_out <: (u8 & u8) + +let butterfly_8_ (a b: u8) (zeta0 zeta1: i32) = + let summands:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + b + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a <: u8) + in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + sub_terms + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms <: u8) + in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms in + a_out, b_out <: (u8 & u8) + +let invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) = + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 0l zeta2 0l zeta1 0l zeta0 0l + in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) 1l (-1l) 1l (-1l) 1l (-1l) 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l sums products + +let invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) = + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 0l 0l zeta0 zeta0 0l 0l + in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) 1l 1l (-1l) (-1l) 1l 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 204l sums products + +let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) (-1l) (-1l) 1l 1l 1l 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products + +let ntt_at_layer_0___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) + = + let a, b:(u8 & u8) = + butterfly_2_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ zeta_2_ + zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_ + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + in + re + +let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l + (-2446433l) (-3562462l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l) + (-1197226l) (-3193378l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l) + (-522500l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l) + (-768622l) (-3595838l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l) + 1735879l 203044l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l + 2486353l 1595974l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l + 1903435l (-1050970l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l) + 1312455l 3306115l (-1962642l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l + 2235880l 3406031l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l) + (-3724270l) 594136l (-3776993l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l + 185531l (-1207385l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l + (-3694233l) (-1799107l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l) + 1717735l 472078l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l) + (-1104333l) (-260646l) (-3833893l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l + (-976891l) 1612842l (-3545687l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l + (-846154l) 1976782l + in + re + +let ntt_at_layer_1___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + = + let a, b:(u8 & u8) = + butterfly_4_ (re.[ index ] <: u8) + (re.[ index +! sz 1 <: usize ] <: u8) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + in + re + +let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) 2147896l 2715295l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l 1852771l (-1430430l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l 508951l 3097992l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) 904516l 3958618l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) 759969l (-1316856l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) 3159746l (-1851402l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l) + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l + in + re + +let ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) = + let a, b:(u8 & u8) = + butterfly_8_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + in + re + +let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l 95776l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l 3530437l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l (-300467l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l (-539299l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l 531354l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l 3881043l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l) in + re + +let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in + let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in + let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 8) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 1 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 2 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 3 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 16) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 1 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 2 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 3 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 12) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 1 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 2 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 3 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 20) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 1 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 2 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let re:t_Array u8 (sz 32) = + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 3 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r + in + let _:Prims.unit = () in + re + +let ntt_at_layer_5_to_3___round + (v_STEP v_STEP_BY: usize) + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: i32) + = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 zeta in + let offset:usize = + ((index *! v_STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l in + let _:Prims.unit = () in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let ntt (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = ntt_at_layer_7_and_6_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_2_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_1_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_0_ re in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti new file mode 100644 index 000000000..b0253f5ed --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let butterfly_2___SHUFFLE: i32 = 216l + +let ntt_at_layer_5_to_3___STEP: usize = sz 1 < Prims.l_True) + +let ntt_at_layer_5_to_3___STEP_BY: usize = + ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + +let ntt_at_layer_5_to_3___STEP_BY_1: usize = + ntt_at_layer_5_to_3___STEP_1 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + +let ntt_at_layer_5_to_3___STEP_BY_2: usize = + ntt_at_layer_5_to_3___STEP_2 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + +let ntt_at_layer_7_and_6___STEP_BY_6_: usize = + (sz 1 < Prims.l_True) + +val butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val butterfly_8_ (a b: u8) (zeta0 zeta1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// This is equivalent to the pqclean 0 and 1 +/// This does 32 Montgomery multiplications (192 multiplications). +/// This is the same as in pqclean. The only difference is locality of registers. +val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_5_to_3___round + (v_STEP v_STEP_BY: usize) + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Layer 5, 4, 3 +/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total +/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) +val ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst new file mode 100644 index 000000000..51c69e1a1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -0,0 +1,137 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let shift_interval (v_ETA: usize) (coefficients: u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l <: u8) + in + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient in + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l <: u8) + in + let coefficients_mod_5_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 coefficients quotient + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + u8) + coefficients_mod_5_ + | 4uy -> + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + u8) + coefficients + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = + let potential_coefficients:u8 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input + in + let (interval_boundary: i32):i32 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> 15l + | 4uy -> 9l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let compare_with_interval_boundary:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + interval_boundary + <: + u8) + potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_interval_boundary + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let shifted:u8 = shift_interval v_ETA potential_coefficients in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti new file mode 100644 index 000000000..43361f3bb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti @@ -0,0 +1,10 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val shift_interval (v_ETA: usize) (coefficients: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst new file mode 100644 index 000000000..1ff5ab537 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst @@ -0,0 +1,138 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 serialized, sz 24 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized_extended:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_to serialized_extended + ({ Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize + ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_u8 (serialized_extended <: t_Slice u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y + (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 bytestream_to_potential_coefficients__COEFFICIENT_MASK + + <: + u8) + +let sample (input: t_Slice u8) (output: t_Slice i32) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let potential_coefficients:u8 = bytestream_to_potential_coefficients input in + let compare_with_field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 field_modulus potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_field_modulus + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients + in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients + in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti new file mode 100644 index 000000000..185397a4b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val sample (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst new file mode 100644 index 000000000..97a40a5a5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst @@ -0,0 +1,107 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let is_bit_set (number: usize) (bit_position: u8) = + ((number &. (sz 1 <>! bit_position <: usize) =. sz 1 + +let generate_shuffle_table (_: Prims.unit) = + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 255uy (sz 16) <: t_Array u8 (sz 16)) + (sz 16) + in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 1 < + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let _:usize = temp_1_ in + true) + byte_shuffles + (fun byte_shuffles bit_pattern -> + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let bit_pattern:usize = bit_pattern in + let byte_shuffles_index:usize = sz 0 in + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = + Rust_primitives.Hax.Folds.fold_range 0uy + 4uy + (fun temp_0_ temp_1_ -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let _:u8 = temp_1_ in + true) + (byte_shuffles, byte_shuffles_index <: (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + (fun temp_0_ bit_position -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let bit_position:u8 = bit_position in + if is_bit_set bit_pattern bit_position <: bool + then + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + (bit_position *! 4uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 1uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 2uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 3uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize) + else + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + in + byte_shuffles) + in + byte_shuffles diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti new file mode 100644 index 000000000..9586d3a7b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti @@ -0,0 +1,140 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = + let list = + [ + (let list = + [ + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + +val is_bit_set (number: usize) (bit_position: u8) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val generate_shuffle_table: Prims.unit + -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst new file mode 100644 index 000000000..e220b31db --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -0,0 +1,23 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_ZERO (_: Prims.unit) = + Core.Convert.f_into #u8 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8) + +let from_coefficient_array (coefficient_array: t_Slice i32) = + Core.Convert.f_into #u8 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array <: u8) + +let to_coefficient_array (x: t_AVX2SIMDUnit) = + let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in + let coefficient_array:t_Array i32 (sz 8) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array x.f_coefficients + in + coefficient_array diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti new file mode 100644 index 000000000..052da1273 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -0,0 +1,22 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_AVX2SIMDUnit = { f_coefficients:u8 } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Core.Convert.t_From t_AVX2SIMDUnit u8 = + { + f_from_pre = (fun (coefficients: u8) -> true); + f_from_post = (fun (coefficients: u8) (out: t_AVX2SIMDUnit) -> true); + f_from = fun (coefficients: u8) -> { f_coefficients = coefficients } <: t_AVX2SIMDUnit + } + +val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (coefficient_array: t_Slice i32) + : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_AVX2SIMDUnit) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti new file mode 100644 index 000000000..46926e5bb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -0,0 +1,636 @@ +module Libcrux_ml_dsa.Simd.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO ()); + f_from_coefficient_array_pre = (fun (coefficient_array: t_Slice i32) -> true); + f_from_coefficient_array_post + = + (fun + (coefficient_array: t_Slice i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_from_coefficient_array + = + (fun (coefficient_array: t_Slice i32) -> + Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_to_coefficient_array_post + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (out: t_Array i32 (sz 8)) -> + true); + f_to_coefficient_array + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (constant: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + constant + <: + u8)); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_power2round_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_power2round + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + let lower, upper:(u8 & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (bound: i32) + (out: bool) + -> + true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + bound); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + let lower, upper:(u8 & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + let count, hint:(usize & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 + low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + count, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + hint + <: + (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_use_hint_pre + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_use_hint + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_gamma1_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_gamma1_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: u8)); + f_commitment_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_commitment_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_commitment_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_error_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_error_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_error_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized <: u8)); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (sz 13)) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized <: u8)); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (sz 10)) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized <: u8)); + f_ntt_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> + let result:t_Array u8 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt (Core.Array.impl_23__map #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + (sz 32) + #u8 + simd_units + (fun x -> + let x:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = x in + x.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients) + <: + t_Array u8 (sz 32)) + in + Core.Array.impl_23__map #u8 + (sz 32) + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + result + (fun x -> + let x:u8 = x in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + x + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_invert_ntt_at_layer_0_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + true); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta0 + zeta1 + zeta2 + zeta3 + <: + u8)); + f_invert_ntt_at_layer_1_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); + f_invert_ntt_at_layer_1_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_1_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta0 + zeta1 + <: + u8)); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta + <: + u8) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst new file mode 100644 index 000000000..b8a8a4b00 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -0,0 +1,608 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let compute_one_hint (v_GAMMA2 low high: i32) = + if + low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + then 1l + else 0l + +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) + +let decompose_element (v_GAMMA2 r: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((r >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let v_ALPHA:i32 = v_GAMMA2 *! 2l in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match v_ALPHA with + | 190464l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 523776l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) + +let infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter + i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + exceeds + (fun exceeds coefficient -> + let exceeds:bool = exceeds in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + let exceeds:bool = exceeds || normalized >=. bound in + exceeds) + in + exceeds + +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((t >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i, t:(usize & i32) = temp_1_ in + let t0, t1:(i32 & i32) = power2round_element t in + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t0_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t1_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t1 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun sum temp_1_ -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let i:usize = i in + { + sum with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + sum + +let compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let one_hints_count:usize = sz 0 in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + (fun temp_0_ i -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let i:usize = i in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + usize) + in + hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + in + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ i -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i:usize = i in + let low_part, high_part:(i32 & i32) = + decompose_element v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + low with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + low_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + high with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + high_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun product temp_1_ -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let _:usize = temp_1_ in + true) + product + (fun product i -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let i:usize = i in + { + product with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + product + +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit i -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i:usize = i in + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + simd_unit + +let shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i + ] + <: + i32) < + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let i:usize = i in + { + difference with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + difference + +let use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let i:usize = i in + { + result with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (use_one_hint v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti new file mode 100644 index 000000000..2a50db3ec --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -0,0 +1,89 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_MONTGOMERY_SHIFT: u8 = 32uy + +val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val get_n_least_significant_bits (n: u8) (value: u64) + : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) + +val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val decompose_element (v_GAMMA2 r: i32) + : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst new file mode 100644 index 000000000..ff1788cd5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -0,0 +1,72 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in + let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3 *! i <: usize) + ((coefficient1 <>! 2l <: u8) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 3 *! i <: usize) +! sz 2 <: usize) + ((coefficient3 <>! 4l <: u8) <: u8) + in + serialized) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti new file mode 100644 index 000000000..cc50ef52c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -0,0 +1,9 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst new file mode 100644 index 000000000..a91008218 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -0,0 +1,332 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized + +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (deserialize_when_eta_is_2___ETA -! + (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, byte:(usize & u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit) + in + simd_unit + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> deserialize_when_eta_is_2_ serialized + | 4uy -> deserialize_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti new file mode 100644 index 000000000..e973dc734 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -0,0 +1,42 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_eta_is_2___ETA: i32 = 2l + +let deserialize_when_eta_is_4___ETA: i32 = 4l + +let serialize_when_eta_is_2___ETA: i32 = 2l + +let serialize_when_eta_is_4___ETA: i32 = 4l + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst new file mode 100644 index 000000000..ca1f48e87 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -0,0 +1,376 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) + serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let coefficient0:i32 = + coefficient0 |. ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l in + let coefficient2:i32 = + coefficient2 |. ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l in + let coefficient3:i32 = + coefficient3 |. ((cast (bytes.[ sz 7 ] <: u8) <: i32) < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let coefficient0:i32 = + coefficient0 |. ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let coefficient2:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) + in + let coefficient3:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti new file mode 100644 index 000000000..a22f485c1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -0,0 +1,48 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst new file mode 100644 index 000000000..b9ecdb13c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -0,0 +1,310 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let change_t0_interval (t0: i32) = + (1l <>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) + in + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in + let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in + let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in + let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in + let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in + let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in + let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in + let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in + let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in + let coefficient0:i32 = byte0 in + let coefficient0:i32 = coefficient0 |. (byte1 <>! 5l in + let coefficient1:i32 = coefficient1 |. (byte2 <>! 2l in + let coefficient2:i32 = coefficient2 |. (byte4 <>! 7l in + let coefficient3:i32 = coefficient3 |. (byte5 <>! 4l in + let coefficient4:i32 = coefficient4 |. (byte7 <>! 1l in + let coefficient5:i32 = coefficient5 |. (byte9 <>! 6l in + let coefficient6:i32 = coefficient6 |. (byte10 <>! 3l in + let coefficient7:i32 = coefficient7 |. (byte12 < Prims.l_True) + +let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = + (1l < Prims.l_True) + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst new file mode 100644 index 000000000..aab3acfcc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -0,0 +1,140 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let mask:i32 = (1l < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 < + let serialized:t_Array u8 (sz 10) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti new file mode 100644 index 000000000..0d94a5f30 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst new file mode 100644 index 000000000..5cddf2bbf --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -0,0 +1,1453 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] + <: + i32) + zeta0 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta3 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_0___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_ntt_at_layer_0_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + +let ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l + in + re + +let simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_1___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_ntt_at_layer_1_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + zeta_0_ + zeta_1_ + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + +let ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 9) 2147896l 2715295l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 17) 508951l 3097992l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 19) 904516l 3958618l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 27) 1315589l 1341330l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l + in + re + +let simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_2___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_ntt_at_layer_2_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + zeta + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + +let ntt_at_layer_2_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 0) 2706023l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 1) 95776l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 2) 3077325l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 3) 3530437l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 4) (-1661693l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 5) (-3592148l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 6) (-2537516l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 7) 3915439l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 8) (-3861115l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 9) (-3043716l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 10) 3574422l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 11) (-2867647l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 12) 3539968l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 13) (-300467l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 14) 2348700l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 15) (-539299l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 16) (-1699267l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 17) (-1643818l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 18) 3505694l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 19) (-3821735l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 20) 3507263l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 21) (-2140649l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 22) (-1600420l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 23) 3699596l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 24) 811944l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 25) 531354l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 26) 954230l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 27) 3881043l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 28) 3900724l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 29) (-2556880l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 30) 2071892l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 31) (-2797779l) + in + re + +let outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + v_STEP_BY + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + v_ZETA + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 1) 2725464l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 2) (sz 1) 1024112l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 1) (-1079900l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 6) (sz 1) 3585928l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 1) (-549488l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 10) (sz 1) (-1119584l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 1) 2619752l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 14) (sz 1) (-2108549l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 1) (-2118186l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 18) (sz 1) (-3859737l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 1) (-1399561l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 22) (sz 1) (-3277672l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 1) 1757237l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 26) (sz 1) (-19422l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 1) 4010497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 30) (sz 1) 280005l re + in + re + +let ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 2) 1826347l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 2) 2353451l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 2) (-359251l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 2) (-2091905l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 2) 3119733l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 2) (-2884855l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 2) 3111497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 2) 2680103l re + in + re + +let ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 4) 237124l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 4) (-777960l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 4) (-876248l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 4) 466468l re + in + re + +let ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 8) (-2608894l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 8) (-518909l) re + in + re + +let ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 16) 25847l re + in + re + +let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0_ re + in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti new file mode 100644 index 000000000..ae1f422e4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -0,0 +1,151 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let ntt_at_layer_3___STEP: usize = sz 8 + +let ntt_at_layer_3___STEP_BY: usize = sz 1 + +let ntt_at_layer_4___STEP: usize = sz 16 + +let ntt_at_layer_4___STEP_BY: usize = sz 2 + +let ntt_at_layer_5___STEP: usize = sz 32 + +let ntt_at_layer_5___STEP_BY: usize = sz 4 + +let ntt_at_layer_6___STEP: usize = sz 64 + +let ntt_at_layer_6___STEP_BY: usize = sz 8 + +let ntt_at_layer_7___STEP: usize = sz 128 + +let ntt_at_layer_7___STEP_BY: usize = sz 16 + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst new file mode 100644 index 000000000..25f533de9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -0,0 +1,123 @@ +module Libcrux_ml_dsa.Simd.Portable.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 15uy + then + let try_0_:i32 = cast (try_0_ <: u8) <: i32 in + let try_0_mod_5_:i32 = + try_0_ -! (((try_0_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_0_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 15uy + then + let try_1_:i32 = cast (try_1_ <: u8) <: i32 in + let try_1_mod_5_:i32 = + try_1_ -! (((try_1_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_1_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_0_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_1_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ bytes -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let bytes:t_Slice u8 = bytes in + let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let coefficient:i32 = + (((b2 < Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst new file mode 100644 index 000000000..338234407 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let from_coefficient_array (array: t_Slice i32) = + { + f_coefficients + = + Core.Result.impl__unwrap #(t_Array i32 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i32) + #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (array.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + Core.Result.t_Result (t_Array i32 (sz 8)) Core.Array.t_TryFromSliceError) + } + <: + t_PortableSIMDUnit + +let to_coefficient_array (x: t_PortableSIMDUnit) = x.f_coefficients + +let v_ZERO (_: Prims.unit) = + { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti new file mode 100644 index 000000000..0b3010e59 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -0,0 +1,14 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (sz 8) } + +val from_coefficient_array (array: t_Slice i32) + : Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_PortableSIMDUnit) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti new file mode 100644 index 000000000..4b05f75c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -0,0 +1,532 @@ +module Libcrux_ml_dsa.Simd.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO ()); + f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); + f_from_coefficient_array_post + = + (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) -> + Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_to_coefficient_array_post + = + (fun + (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array i32 (sz 8)) + -> + true); + f_to_coefficient_array + = + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); + f_shift_left_then_reduce_pre + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_shift_left_then_reduce + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_power2round_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_power2round + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> + true); + f_infinity_norm_exceeds_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + (out: bool) + -> + true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); + f_use_hint_pre + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_use_hint + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_gamma1_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_gamma1_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); + f_commitment_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_commitment_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_commitment_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); + f_error_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_error_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_error_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (sz 13)) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized + ); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (sz 10)) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized + ); + f_ntt_pre + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + true); + f_ntt + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); + f_invert_ntt_at_layer_0_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + true); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + f_invert_ntt_at_layer_1_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); + f_invert_ntt_at_layer_1_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_1_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> + true); + f_invert_ntt_at_layer_2_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst new file mode 100644 index 000000000..5bf547714 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst @@ -0,0 +1,11 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let montgomery_multiply_by_fer + (#v_S: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_S) + (simd_unit: v_S) + (fer: i32) + = f_montgomery_multiply_by_constant #v_S #FStar.Tactics.Typeclasses.solve simd_unit fer diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti new file mode 100644 index 000000000..543e2b390 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -0,0 +1,185 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Operations (v_Self: Type0) = { + [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; + [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; + f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); + f_from_coefficient_array_pre:t_Slice i32 -> Type0; + f_from_coefficient_array_post:t_Slice i32 -> v_Self -> Type0; + f_from_coefficient_array:x0: t_Slice i32 + -> Prims.Pure v_Self + (f_from_coefficient_array_pre x0) + (fun result -> f_from_coefficient_array_post x0 result); + f_to_coefficient_array_pre:v_Self -> Type0; + f_to_coefficient_array_post:v_Self -> t_Array i32 (sz 8) -> Type0; + f_to_coefficient_array:x0: v_Self + -> Prims.Pure (t_Array i32 (sz 8)) + (f_to_coefficient_array_pre x0) + (fun result -> f_to_coefficient_array_post x0 result); + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; + f_add:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); + f_subtract_pre:v_Self -> v_Self -> Type0; + f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; + f_subtract:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); + f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; + f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; + f_infinity_norm_exceeds:x0: v_Self -> x1: i32 + -> Prims.Pure bool + (f_infinity_norm_exceeds_pre x0 x1) + (fun result -> f_infinity_norm_exceeds_post x0 x1 result); + f_decompose_pre:v_GAMMA2: i32 -> v_Self -> Type0; + f_decompose_post:v_GAMMA2: i32 -> v_Self -> (v_Self & v_Self) -> Type0; + f_decompose:v_GAMMA2: i32 -> x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_decompose_pre v_GAMMA2 x0) + (fun result -> f_decompose_post v_GAMMA2 x0 result); + f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> (usize & v_Self) -> Type0; + f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure (usize & v_Self) + (f_compute_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 result); + f_use_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_use_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_use_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_use_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_use_hint_post v_GAMMA2 x0 x1 result); + f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; + f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; + f_montgomery_multiply:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_montgomery_multiply_pre x0 x1) + (fun result -> f_montgomery_multiply_post x0 x1 result); + f_montgomery_multiply_by_constant_pre:v_Self -> i32 -> Type0; + f_montgomery_multiply_by_constant_post:v_Self -> i32 -> v_Self -> Type0; + f_montgomery_multiply_by_constant:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_montgomery_multiply_by_constant_pre x0 x1) + (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); + f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; + f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self + -> Prims.Pure v_Self + (f_shift_left_then_reduce_pre v_SHIFT_BY x0) + (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); + f_power2round_pre:v_Self -> Type0; + f_power2round_post:v_Self -> (v_Self & v_Self) -> Type0; + f_power2round:x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_power2round_pre x0) + (fun result -> f_power2round_post x0 result); + f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_field_modulus_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_field_modulus:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_field_modulus_pre x0 x1) + (fun result -> f_rejection_sample_less_than_field_modulus_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_2_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_2_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_2_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_2_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_2_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_4_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_4_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_4_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); + f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_gamma1_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result); + f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; + f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; + f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) + (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); + f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_commitment_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result); + f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_error_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result); + f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; + f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; + f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_error_deserialize_pre v_ETA x0) + (fun result -> f_error_deserialize_post v_ETA x0 result); + f_t0_serialize_pre:v_Self -> Type0; + f_t0_serialize_post:v_Self -> t_Array u8 (sz 13) -> Type0; + f_t0_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 13)) + (f_t0_serialize_pre x0) + (fun result -> f_t0_serialize_post x0 result); + f_t0_deserialize_pre:t_Slice u8 -> Type0; + f_t0_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t0_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); + f_t1_serialize_pre:v_Self -> Type0; + f_t1_serialize_post:v_Self -> t_Array u8 (sz 10) -> Type0; + f_t1_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 10)) + (f_t1_serialize_pre x0) + (fun result -> f_t1_serialize_post x0 result); + f_t1_deserialize_pre:t_Slice u8 -> Type0; + f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t1_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); + f_ntt_pre:t_Array v_Self (sz 32) -> Type0; + f_ntt_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; + f_ntt:x0: t_Array v_Self (sz 32) + -> Prims.Pure (t_Array v_Self (sz 32)) (f_ntt_pre x0) (fun result -> f_ntt_post x0 result); + f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_0_pre x0 x1 x2 x3 x4) + (fun result -> f_invert_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); + f_invert_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_1_pre x0 x1 x2) + (fun result -> f_invert_ntt_at_layer_1_post x0 x1 x2 result); + f_invert_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; + f_invert_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_2_:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_2_pre x0 x1) + (fun result -> f_invert_ntt_at_layer_2_post x0 x1 result) +} + +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT + +val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) + : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst new file mode 100644 index 000000000..8af0ff228 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -0,0 +1,34 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let t_SigningError_cast_to_repr (x: t_SigningError) = + match x with + | SigningError_RejectionSamplingError -> isz 0 + | SigningError_ContextTooLongError -> isz 1 + +let t_VerificationError_cast_to_repr (x: t_VerificationError) = + match x with + | VerificationError_MalformedHintError -> isz 0 + | VerificationError_SignerResponseExceedsBoundError -> isz 1 + | VerificationError_CommitmentHashesDontMatchError -> isz 3 + | VerificationError_ContextTooLongError -> isz 6 + +let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti new file mode 100644 index 000000000..f121066d7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -0,0 +1,77 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// The number of bytes +val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_2__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_4__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA signature. +type t_MLDSASignature (v_SIZE: usize) = + | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE + +///An ML-DSA signature key. +type t_MLDSASigningKey (v_SIZE: usize) = + | MLDSASigningKey : t_Array u8 v_SIZE -> t_MLDSASigningKey v_SIZE + +///An ML-DSA verification key. +type t_MLDSAVerificationKey (v_SIZE: usize) = + | MLDSAVerificationKey : t_Array u8 v_SIZE -> t_MLDSAVerificationKey v_SIZE + +/// An ML-DSA key pair. +type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { + f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; + f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE +} + +type t_Signature + (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { + f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; + f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A; + f_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A +} + +type t_SigningError = + | SigningError_RejectionSamplingError : t_SigningError + | SigningError_ContextTooLongError : t_SigningError + +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +type t_VerificationError = + | VerificationError_MalformedHintError : t_VerificationError + | VerificationError_SignerResponseExceedsBoundError : t_VerificationError + | VerificationError_CommitmentHashesDontMatchError : t_VerificationError + | VerificationError_ContextTooLongError : t_VerificationError + +val t_VerificationError_cast_to_repr (x: t_VerificationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst new file mode 100644 index 000000000..82aa84965 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN <: bool) + in + () + in + let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let out:t_Array u8 v_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti new file mode 100644 index 000000000..112de368e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti @@ -0,0 +1,8 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Pad the `slice` with `0`s at the end. +val into_padded_array (v_LEN: usize) (slice: t_Slice u8) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) diff --git a/fstar-helpers/fstar-bitvec/Makefile b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile similarity index 69% rename from fstar-helpers/fstar-bitvec/Makefile rename to libcrux-ml-dsa/proofs/fstar/extraction/Makefile index b4ce70a38..4f7a001a8 100644 --- a/fstar-helpers/fstar-bitvec/Makefile +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile @@ -1 +1,3 @@ +SLOW_MODULES += +ADMIT_MODULES = include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph new file mode 100644 index 000000000..ddce2bce1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph @@ -0,0 +1,4883 @@ +digraph { + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "prims" + "fstar_reflection_const" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "core_slice" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_ntt" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_44_" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "fstar_bitvector" + "fstar_sealed_inhabited" -> "fstar_sealed" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "prims" + "fstar_sealed_inhabited" -> "prims" + "core_fmt" -> "core_fmt_rt" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "core_result" + "core_fmt" -> "core_result" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "prims" + "core_fmt" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_vconfig" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "prims" + "fstar_reflection_v1_derived" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "fstar_tactics_bv" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "prims" + "fstar_seq" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "prims" + "fstar_math_lib" -> "prims" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "prims" + "fstar_reflection_v2_arith" -> "prims" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "lib_sequence" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_ml_dsa_65_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_87_" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_platform_platform" -> "fstar_mul" + "libcrux_platform_platform" -> "core" + "libcrux_platform_platform" -> "fstar_pervasives" + "libcrux_platform_platform" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_65__neon" + "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_encoding_t0" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "prims" + "fstar_heap" -> "prims" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "prims" + "fstar_reflection_v1_compare" -> "prims" + "fstar_issue" -> "fstar_stubs_pprint" + "fstar_issue" -> "fstar_range" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "prims" + "fstar_issue" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_platform_platform" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "fstar_ghost" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "prims" + "fstar_stubs_errors_msg" -> "prims" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_char" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" + "fstar_string" -> "prims" + "spec_sha3" -> "fstar_pervasives_native" + "spec_sha3" -> "fstar_pervasives_native" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "lib_loopcombinators" + "spec_sha3" -> "lib_loopcombinators" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "lib_bytesequence" + "spec_sha3" -> "lib_bytesequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_inttypes" + "spec_sha3" -> "lib_inttypes" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "prims" + "spec_sha3" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_calc" -> "fstar_calc" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "core_ops_range" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "core" + "spec_utils" -> "core" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "prims" + "spec_utils" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_num" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "fstar_stubs_reflection_types" -> "fstar_sealed" + "fstar_stubs_reflection_types" -> "fstar_range" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "prims" + "fstar_stubs_reflection_types" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "prims" + "core_iter_traits_collect" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "core_slice" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_signature" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "prims" + "hax_lib" -> "prims" + "libcrux_ml_dsa_utils" -> "core_ops_range" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" + "libcrux_ml_dsa_utils" -> "core_slice" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "libcrux_ml_dsa_utils" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "fstar_math_lemmas" + "fstar_calc" -> "fstar_range" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "prims" + "fstar_order" -> "prims" + "fstar_tactics_smt" -> "fstar_vconfig" + "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "fstar_tactics_smt" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "prims" + "core_core_arch_arm_shared_neon" -> "prims" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_stubs_reflection_types" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_sealed" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_signing_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice" + "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice_iter" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_simd_portable_sample" + "fstar_stubs_tactics_types" -> "fstar_issue" + "fstar_stubs_tactics_types" -> "fstar_range" + "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" + "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" + "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "prims" + "fstar_stubs_tactics_types" -> "prims" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "core_panicking" + "libcrux_ml_dsa_samplex4" -> "core_panicking" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "prims" + "fstar_stubs_tactics_result" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_44__neon" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_print" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "lib_inttypes" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_classical" -> "fstar_classical" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "prims" + "fstar_reflection_v1_formula" -> "prims" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_tactics_effect" -> "fstar_range" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_print" -> "fstar_stubs_reflection_types" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_ntt" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "prims" + "fstar_stubs_syntax_syntax" -> "prims" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "prims" + "core_fmt_rt" -> "prims" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_types" + "lib_bytesequence" -> "fstar_pervasives_native" + "lib_bytesequence" -> "fstar_pervasives_native" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_math_lemmas" + "lib_bytesequence" -> "fstar_math_lemmas" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_uint8" + "lib_bytesequence" -> "fstar_uint8" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "lib_loopcombinators" + "lib_bytesequence" -> "lib_loopcombinators" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "lib_bytesequence" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_list_tot" + "spec_sha3_constants" -> "fstar_list_tot" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "lib_sequence" + "spec_sha3_constants" -> "lib_sequence" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "fstar_pervasives" + "spec_sha3_constants" -> "fstar_pervasives" + "spec_sha3_constants" -> "prims" + "spec_sha3_constants" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1" -> "fstar_reflection_v1_compare" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_stubs_reflection_types" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "prims" + "fstar_tactics_v1" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "fstar_seq_base" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "fstar_int8" -> "fstar_int8" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "prims" + "core_clone" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_ntt" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "libcrux_ml_dsa_polynomial" -> "core_ops_range" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "core_array_iter" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "prims" + "fstar_erasedlogic" -> "prims" + "core_array" -> "rust_primitives" + "core_array" -> "rust_primitives" + "core_array" -> "fstar_pervasives" + "core_array" -> "fstar_pervasives" + "core_array" -> "prims" + "core_array" -> "prims" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_names" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_names" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_v2_syntaxhelpers" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "prims" + "core_marker" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_verification_key" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "fstar_uint32" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_range" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_vconfig" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "prims" + "fstar_tactics_v2_derived" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "fstar_stubs_pprint" -> "fstar_float" + "fstar_stubs_pprint" -> "fstar_char" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "prims" + "fstar_stubs_pprint" -> "prims" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "prims" + "fstar_st" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint64" + "lib_rawinttypes" -> "fstar_uint64" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint16" + "lib_rawinttypes" -> "fstar_uint16" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "fstar_uint8" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_int16" -> "fstar_int16" + "fstar_reflection_v1" -> "fstar_reflection_v1_compare" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "prims" + "fstar_reflection_v1" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" + "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_set" -> "fstar_set" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "prims" + "fstar_tactics" -> "prims" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "prims" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_tactics_bv_lemmas" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_44_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_sealed" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "prims" + "fstar_tactics_unseal" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "core_slice" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_bv" -> "fstar_bv" + "fstar_pervasives_native" -> "prims" + "fstar_pervasives_native" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_87__avx2" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "prims" + "fstar_list_tot_base" -> "prims" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "prims" + "fstar_option" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "prims" + "fstar_reflection_v2_formula" -> "prims" + "core_panicking" -> "core_fmt" + "core_panicking" -> "core_option" + "core_panicking" -> "core_option" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "prims" + "core_panicking" -> "prims" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "prims" + "fstar_char" -> "prims" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_mapply" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_tactics" + "lib_loopcombinators" -> "fstar_tactics" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "lib_loopcombinators" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "fstar_classical_sugar" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_ops_range" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "prims" + "fstar_exn" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "libcrux_sha3_traits" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "fstar_list_tot_properties" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "prims" + "fstar_preorder" -> "prims" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "prims" + "fstar_monotonic_pure" -> "prims" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "prims" + "fstar_int_cast_full" -> "prims" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "prims" + "fstar_all" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_slice" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_array_iter" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt_rt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint64" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "core_slice" + "core_convert" -> "core_array" + "core_convert" -> "core_array" + "core_convert" -> "core_result" + "core_convert" -> "core_result" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "rust_primitives" + "core_convert" -> "rust_primitives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "prims" + "core_convert" -> "prims" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_portable_incremental" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_87__portable" + "fstar_range" -> "fstar_sealed" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "prims" + "fstar_range" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_squash" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "fstar_monotonic_heap" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" + "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "prims" + "core_ops_arith_neg" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "core_slice" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_stubs_tactics_v2_builtins" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "fstar_uint128" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_range" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_vconfig" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_v1_derived" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_87__neon" + "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_int128" -> "fstar_int128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "libcrux_ml_dsa_hash_functions_shake256" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_tactics_v1_logic_lemmas" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "prims" + "fstar_sealed" -> "prims" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "prims" + "fstar_vconfig" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "core_slice" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "fstar_seq_properties" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_44__portable" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "prims" + "fstar_float" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax_monomorphized_update_at" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_stubs_reflection_types" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "prims" + "fstar_tactics_v2" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_vconfig" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "prims" + "fstar_reflection_v2_derived" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_stubs_tactics_common" -> "fstar_range" + "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_tactics_common" -> "prims" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "prims" + "fstar_int_cast" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice" + "libcrux_ml_dsa_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_encoding_commitment" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "prims" + "fstar_reflection_v2" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "lib_rawinttypes" + "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "fstar_tactics_namedview" -> "fstar_range" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "fstar_indefinitedescription" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_stubs_reflection_v1_data" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_65__portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_65__avx2" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "fstar_tactics_namedview" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "libcrux_ml_dsa_constants" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_int" -> "fstar_int" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "fstar_uint16" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_int64" -> "fstar_int64" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_slice" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "prims" + "fstar_mul" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "prims" + "fstar_propositionalextensionality" -> "prims" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "prims" + "fstar_predicateextensionality" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_65_" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_array" + "libcrux_ml_dsa_sample" -> "core_array" + "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_num" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "core_panicking" + "libcrux_ml_dsa_sample" -> "core_panicking" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_sample" -> "core_ops_range" + "libcrux_ml_dsa_sample" -> "core_slice" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "prims" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_seq_properties" + "lib_sequence" -> "fstar_seq_properties" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "lib_sequence" -> "prims" + "lib_sequence" -> "lib_sequence" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_char" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_string" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "prims" + "fstar_class_printable" -> "prims" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "prims" + "fstar_list_tot" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "prims" + "fstar_list" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_uint" -> "fstar_uint" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tset" -> "fstar_tset" + "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_visit" -> "fstar_stubs_reflection_types" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "prims" + "fstar_tactics_visit" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "core_slice" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_encoding_error" + "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "prims" + "libcrux_sha3_neon_x2" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_44__avx2" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "fstar_tactics_effect" + "core_array_iter" -> "core_iter" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "prims" + "core_array_iter" -> "prims" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_logic" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" +} diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 7030bef96..25db431db 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -14,7 +14,7 @@ pub(crate) fn vector_infinity_norm_exceeds( - input0: &[u8], - input1: &[u8], - input2: &[u8], - input3: &[u8], - out0: &mut [u8; OUT_LEN], - out1: &mut [u8; OUT_LEN], - out2: &mut [u8; OUT_LEN], - out3: &mut [u8; OUT_LEN], - ); - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; - fn squeeze_first_block( + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -32,7 +22,7 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -40,6 +30,16 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ); } } @@ -76,16 +76,14 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { - use libcrux_sha3::portable::{ - incremental::{self, shake128_absorb_final, shake128_init}, - shake128, shake256, KeccakState, - }; - use super::{shake128, shake256}; + use libcrux_sha3::portable::incremental; + use libcrux_sha3::portable::KeccakState; /// Portable SHAKE 128 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128X4 { state0: KeccakState, state1: KeccakState, @@ -93,27 +91,63 @@ pub(crate) mod portable { state3: KeccakState, } - impl shake128::XofX4 for Shake128X4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - #[inline(always)] - fn init_absorb(input: &[u8]) -> KeccakState { - let mut state = shake128_init(); - shake128_absorb_final(&mut state, &input); + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128X4 { + let mut state0 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state0, &input0); - state - } + let mut state1 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state1, &input1); - let state0 = init_absorb(input0); - let state1 = init_absorb(input1); - let state2 = init_absorb(input2); - let state3 = init_absorb(input3); + let mut state2 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state2, &input2); - Self { - state0, - state1, - state2, - state3, - } + let mut state3 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state3, &input3); + + Shake128X4 { + state0, + state1, + state2, + state3, + } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128X4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + incremental::shake128_squeeze_first_five_blocks(&mut state.state0, out0); + incremental::shake128_squeeze_first_five_blocks(&mut state.state1, out1); + incremental::shake128_squeeze_first_five_blocks(&mut state.state2, out2); + incremental::shake128_squeeze_first_five_blocks(&mut state.state3, out3); + } + + fn squeeze_next_block( + state: &mut Shake128X4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } + + impl shake128::XofX4 for Shake128X4 { + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -123,12 +157,8 @@ pub(crate) mod portable { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - incremental::shake128_squeeze_first_five_blocks(&mut self.state0, out0); - incremental::shake128_squeeze_first_five_blocks(&mut self.state1, out1); - incremental::shake128_squeeze_first_five_blocks(&mut self.state2, out2); - incremental::shake128_squeeze_first_five_blocks(&mut self.state3, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } - fn squeeze_next_block( &mut self, ) -> ( @@ -137,90 +167,147 @@ pub(crate) mod portable { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } /// Portable SHAKE 128 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128 {} + fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake128(out, input); + } + impl shake128::Xof for Shake128 { fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake128(out, input); + shake128(input, out); } } /// Portable SHAKE 256 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { state: KeccakState, } + + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake256(out, input); + } + + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state, input); + Shake256 { state } + } + + fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state, &mut out); + out + } + + fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state, &mut out); + out + } + impl shake256::Xof for Shake256 { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake256(out, input); + shake256(input, out); } fn init_absorb(input: &[u8]) -> Self { - let mut state = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state, input); - - Self { state } + init_absorb_shake256(input) } fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out + squeeze_first_block_shake256(self) } fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out + squeeze_next_block_shake256(self) } } /// Portable SHAKE 256 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256X4 { - state0: KeccakState, - state1: KeccakState, - state2: KeccakState, - state3: KeccakState, + state0: libcrux_sha3::portable::KeccakState, + state1: libcrux_sha3::portable::KeccakState, + state2: libcrux_sha3::portable::KeccakState, + state3: libcrux_sha3::portable::KeccakState, } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256X4 { + let mut state0 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state0, input0); - impl shake256::XofX4 for Shake256X4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state0 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state0, input0); + let mut state1 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state1, input1); - let mut state1 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state1, input1); + let mut state2 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state2, input2); - let mut state2 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state2, input2); + let mut state3 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state3, input3); - let mut state3 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state3, input3); + Shake256X4 { + state0, + state1, + state2, + state3, + } + } - Self { - state0, - state1, - state2, - state3, - } + fn squeeze_first_block_x4( + state: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } + + fn squeeze_next_block_x4( + state: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } + + impl shake256::XofX4 for Shake256X4 { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -228,19 +315,10 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -248,19 +326,10 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -270,41 +339,113 @@ pub(crate) mod portable { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - shake256(out0, input0); - shake256(out1, input1); - shake256(out2, input2); - shake256(out3, input3); + shake256(input0, out0); + shake256(input1, out1); + shake256(input2, out2); + shake256(input3, out3); } } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb, + } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Squeeze { + state: libcrux_sha3::portable::incremental::Shake256Squeeze, + } + + use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze}; + + pub(crate) fn shake256_init() -> Shake256Absorb { + Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb::new(), + } + } + pub(crate) fn shake256_absorb(st: &mut Shake256Absorb, input: &[u8]) { + st.state.absorb(input) + } + pub(crate) fn shake256_absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { + Shake256Squeeze { + state: st.state.absorb_final(input), + } + } + pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { + st.state.squeeze(out) + } } /// A SIMD256 implementation of [`shake128::XofX4`] and [`shake256::Xof`] for AVX2. #[cfg(feature = "simd256")] pub(crate) mod simd256 { - use libcrux_sha3::{ - avx2::x4::{self, incremental::KeccakState}, - portable, - }; - use super::{shake128, shake256}; + use libcrux_sha3::avx2::x4; /// AVX2 SHAKE 128 state /// /// This only implements the XofX4 API. For the single Xof, the portable /// version is used. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { - state: KeccakState, + state: libcrux_sha3::avx2::x4::incremental::KeccakState, + } + + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x4::incremental::shake128_squeeze_first_five_blocks( + &mut state.state, + out0, + out1, + out2, + out3, + ); + } + + fn squeeze_next_block( + state: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x4::incremental::shake128_squeeze_next_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) } impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. + #[inline(always)] fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } + #[inline(always)] fn squeeze_first_five_blocks( &mut self, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], @@ -312,15 +453,10 @@ pub(crate) mod simd256 { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks( - &mut self.state, - out0, - out1, - out2, - out3, - ); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } + #[inline(always)] fn squeeze_next_block( &mut self, ) -> ( @@ -329,67 +465,150 @@ pub(crate) mod simd256 { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x4::incremental::shake128_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } - // TODO: Shake256 is only portable for now. If we don't want to change that, - // we should use the portable Xof impelmentation above. - /// AVX2 SHAKE 256 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { - state: portable::KeccakState, + state: libcrux_sha3::portable::KeccakState, } + + #[inline(always)] + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake256(out, input); + } + + #[inline(always)] + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = libcrux_sha3::portable::incremental::shake256_init(); + libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input); + + Shake256 { state } + } + + #[inline(always)] + fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + libcrux_sha3::portable::incremental::shake256_squeeze_first_block( + &mut state.state, + &mut out, + ); + out + } + + #[inline(always)] + fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + libcrux_sha3::portable::incremental::shake256_squeeze_next_block( + &mut state.state, + &mut out, + ); + out + } + impl shake256::Xof for Shake256 { + #[inline(always)] fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - portable::shake256(out, input); + shake256(input, out) } + #[inline(always)] fn init_absorb(input: &[u8]) -> Self { - let mut state = portable::incremental::shake256_init(); - portable::incremental::shake256_absorb_final(&mut state, input); - - Self { state } + init_absorb_shake256(input) } + #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out + squeeze_first_block_shake256(self) } + #[inline(always)] fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out + squeeze_next_block_shake256(self) } } /// AVX2 SHAKE 256 x4 state. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256x4 { - state: KeccakState, + state: libcrux_sha3::avx2::x4::incremental::KeccakState, + } + + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake256x4 { state } + } + + fn squeeze_first_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_first_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) + } + + fn squeeze_next_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_next_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) + } + + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); } impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + #[inline(always)] + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + #[inline(always)] + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -397,22 +616,11 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_first_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + #[inline(always)] + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -420,22 +628,11 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) - } - - fn shake256( + squeeze_next_block_x4(self) + } + + #[inline(always)] + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -445,7 +642,7 @@ pub(crate) mod simd256 { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } @@ -454,21 +651,57 @@ pub(crate) mod simd256 { #[cfg(feature = "simd128")] pub(crate) mod neon { - use libcrux_sha3::neon::x2::{self, incremental::KeccakState}; - use super::{shake128, shake256}; + use libcrux_sha3::neon::x2; + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) type KeccakState = x2::incremental::KeccakState; + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { state: [KeccakState; 2], } + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[0], out0, out1); + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[1], out2, out3); + } + + fn squeeze_next_block( + state: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x2::incremental::shake128_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake128_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -478,8 +711,7 @@ pub(crate) mod neon { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[0], out0, out1); - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[1], out2, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } fn squeeze_next_block( @@ -490,31 +722,79 @@ pub(crate) mod neon { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake128_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } /// Neon SHAKE 256 x4 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256x4 { state: [KeccakState; 2], } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); + Shake256x4 { state } + } + + fn squeeze_first_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_first_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_first_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn squeeze_next_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x2::shake256(input0, input1, out0, out1); + x2::shake256(input2, input3, out2, out3); + } + impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); - Self { state } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -522,17 +802,10 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_first_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_first_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -540,17 +813,10 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -560,8 +826,7 @@ pub(crate) mod neon { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x2::shake256(input0, input1, out0, out1); - x2::shake256(input2, input3, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs index c83f0ce20..dda8312c1 100644 --- a/libcrux-ml-dsa/src/lib.rs +++ b/libcrux-ml-dsa/src/lib.rs @@ -1,4 +1,5 @@ #![no_std] +#![deny(unsafe_code)] mod arithmetic; mod constants; @@ -16,10 +17,7 @@ mod types; mod utils; // Public interface -pub use { - ml_dsa_generic::{SigningError, VerificationError}, - types::*, -}; +pub use types::*; pub use crate::constants::KEY_GENERATION_RANDOMNESS_SIZE; pub use crate::constants::SIGNING_RANDOMNESS_SIZE; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index d13930b0b..9b0443525 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -1,22 +1,23 @@ -use libcrux_sha3::portable::incremental::{Shake256Absorb, XofAbsorb, XofSqueeze}; - use crate::{ arithmetic::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, constants::*, encoding, - hash_functions::{shake128, shake256}, + hash_functions::{ + portable::{shake256_absorb, shake256_absorb_final, shake256_init, shake256_squeeze}, + shake128, shake256, + }, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, }, ntt::ntt, - polynomial::PolynomialRingElement, pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, simd::traits::Operations, + types::{Signature, SigningError, VerificationError}, utils::into_padded_array, MLDSASignature, }; @@ -24,18 +25,8 @@ use crate::{ pub(crate) mod instantiations; pub(crate) mod multiplexing; -pub(crate) struct Signature< - SIMDUnit: Operations, - const COMMITMENT_HASH_SIZE: usize, - const COLUMNS_IN_A: usize, - const ROWS_IN_A: usize, -> { - pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], - pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], - pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], -} - /// Generate a key pair. +#[inline(always)] pub(crate) fn generate_key_pair< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -52,10 +43,10 @@ pub(crate) fn generate_key_pair< ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; - let mut shake = Shake256Absorb::new(); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - shake.squeeze(&mut seed_expanded); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake256_squeeze(&mut shake, &mut seed_expanded); let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); let (seed_for_error_vectors, seed_for_signing) = @@ -99,21 +90,8 @@ pub(crate) fn generate_key_pair< (signing_key_serialized, verification_key_serialized) } -#[derive(Debug)] -pub enum VerificationError { - MalformedHintError, - SignerResponseExceedsBoundError, - CommitmentHashesDontMatchError, - ContextTooLongError, -} - -#[derive(Debug)] -pub enum SigningError { - RejectionSamplingError, - ContextTooLongError, -} - #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -145,7 +123,6 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash(message); - sign_internal::< SIMDUnit, Shake128X4, @@ -174,6 +151,7 @@ pub(crate) fn sign_pre_hashed< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -199,6 +177,7 @@ pub(crate) fn sign< context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + // TODO: Support implicit into() in ? so that this match becomes unnecessary sign_internal::< SIMDUnit, Shake128X4, @@ -231,6 +210,7 @@ pub(crate) fn sign< /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -280,12 +260,12 @@ pub(crate) fn sign_internal< let mut mask_seed = [0; MASK_SEED_SIZE]; { - let mut shake = Shake256Absorb::new(); - shake.absorb(&seed_for_signing); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&message_representative); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &seed_for_signing); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &message_representative); - shake.squeeze(&mut mask_seed); + shake256_squeeze(&mut shake, &mut mask_seed); } let mut domain_separator_for_mask: u16 = 0; @@ -326,11 +306,11 @@ pub(crate) fn sign_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash_candidate); + shake256_squeeze(&mut shake, &mut commitment_hash_candidate); } let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< @@ -437,25 +417,32 @@ pub(crate) fn sign_internal< /// for details on the domain separation for regular ML-DSA. Line /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA /// variant. +#[inline(always)] fn derive_message_representative( verification_key_hash: [u8; 64], domain_separation_context: Option, message: &[u8], message_representative: &mut [u8; 64], ) { - let mut shake = Shake256Absorb::new(); - shake.absorb(&verification_key_hash); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { - shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]); - shake.absorb(&[domain_separation_context.context().len() as u8]); - shake.absorb(domain_separation_context.context()); + shake256_absorb( + &mut shake, + &[domain_separation_context.pre_hash_oid().is_some() as u8], + ); + shake256_absorb( + &mut shake, + &[domain_separation_context.context().len() as u8], + ); + shake256_absorb(&mut shake, domain_separation_context.context()); if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() { - shake.absorb(pre_hash_oid) + shake256_absorb(&mut shake, pre_hash_oid) } } - let mut shake = shake.absorb_final(message); - shake.squeeze(message_representative); + let mut shake = shake256_absorb_final(shake, message); + shake256_squeeze(&mut shake, message_representative); } /// The internal verification API. @@ -463,6 +450,7 @@ fn derive_message_representative( /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -545,11 +533,11 @@ pub(crate) fn verify_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash); + shake256_squeeze(&mut shake, &mut commitment_hash); } if signature.commitment_hash != commitment_hash { @@ -563,6 +551,7 @@ pub(crate) fn verify_internal< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -586,6 +575,7 @@ pub(crate) fn verify< context: &[u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { + // TODO: Support implicit into() in ? so that this match becomes unnecessary verify_internal::< SIMDUnit, Shake128X4, @@ -612,6 +602,7 @@ pub(crate) fn verify< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 1718f6c01..15936617b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -3,9 +3,9 @@ macro_rules! instantiate { pub mod $modp { use crate::{ constants::*, - ml_dsa_generic::{SigningError, VerificationError}, pre_hash::SHAKE128_PH, types::*, + types::{SigningError, VerificationError}, }; /// Generate key pair. @@ -305,12 +305,7 @@ instantiate! {portable, // AVX2 generic implementation. #[cfg(feature = "simd256")] -instantiate! {avx2, - crate::simd::avx2::AVX2SIMDUnit, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - crate::hash_functions::simd256::Shake256x4 -} +pub mod avx2; // NEON generic implementation. #[cfg(feature = "simd128")] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs new file mode 100644 index 000000000..6f3a754a2 --- /dev/null +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -0,0 +1,585 @@ +use crate::{ + constants::*, + ml_dsa_generic::{SigningError, VerificationError}, + pre_hash::SHAKE128_PH, + types::*, +}; + +mod avx2_feature { + use super::*; + + /// Generate key pair. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn generate_key_pair< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + >( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + crate::ml_dsa_generic::generate_key_pair::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + VERIFICATION_KEY_SIZE, + >(randomness) + } + + /// Sign. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn sign< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, context, randomness) + } + + /// Sign (internal API) + #[cfg(feature = "acvp")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn sign_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, None, randomness) + } + + /// Sign (pre-hashed). + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn sign_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + SHAKE128_PH, + 256, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, context, randomness) + } + + /// Verify. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn verify< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } + + /// Verify (internal API). + #[cfg(feature = "acvp")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn verify_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, None, signature) + } + + /// Verify (pre-hashed with SHAKE-128). + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn verify_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + SHAKE128_PH, + 256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} + +/// Generate key pair. +#[allow(unsafe_code)] +pub(crate) fn generate_key_pair< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, +>( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], +) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + unsafe { + avx2_feature::generate_key_pair::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + VERIFICATION_KEY_SIZE, + >(randomness) + } +} + +/// Sign. +#[allow(unsafe_code)] +#[inline(always)] +pub(crate) fn sign< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, context, randomness) + } +} + +/// Sign (internal API) +#[cfg(feature = "acvp")] +#[allow(unsafe_code)] +pub(crate) fn sign_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign_internal::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, randomness) + } +} + +/// Sign (pre-hashed). +#[allow(unsafe_code)] +pub(crate) fn sign_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign_pre_hashed_shake128::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, context, randomness) + } +} + +/// Verify. +#[allow(unsafe_code)] +pub(crate) fn verify< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} + +/// Verify (internal API). +#[cfg(feature = "acvp")] +#[allow(unsafe_code)] +pub(crate) fn verify_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify_internal::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, signature) + } +} + +/// Verify (pre-hashed with SHAKE-128). +#[allow(unsafe_code)] +pub(crate) fn verify_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify_pre_hashed_shake128::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index a1246393c..eb8f2424d 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -1,39 +1,9 @@ use crate::{ arithmetic::FieldElementTimesMontgomeryR, - constants::COEFFICIENTS_IN_RING_ELEMENT, polynomial::PolynomialRingElement, simd::traits::{montgomery_multiply_by_fer, Operations, COEFFICIENTS_IN_SIMD_UNIT}, }; -const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [ - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, - -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, - -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, - 280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, - -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694, - -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724, - -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, - 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525, - -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992, - 44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, - -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669, - -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500, - 3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352, - -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, - -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, - 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150, - 1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, - 1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, - -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412, - -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455, - -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149, - 1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, - 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036, - -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306, - -1362209, 3937738, 1400424, -846154, 1976782, -]; - #[inline(always)] pub(crate) fn ntt( re: PolynomialRingElement, @@ -44,93 +14,256 @@ pub(crate) fn ntt( } #[inline(always)] -fn invert_ntt_at_layer_0( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - *zeta_i -= 1; - - for round in 0..re.simd_units.len() { - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_0( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3], - ); - - *zeta_i -= 4; +fn invert_ntt_at_layer_0(re: &mut PolynomialRingElement) { + #[inline(always)] + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + re.simd_units[index] = + SIMDUnit::invert_ntt_at_layer_0(re.simd_units[index], zeta_0, zeta_1, zeta_2, zeta_3); } - *zeta_i += 1; + // macro_rules! round { + // ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { + // re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0( + // re.simd_units[$i], + // $zeta_0, + // $zeta_1, + // $zeta_2, + // $zeta_3, + // ); + // }; + // } + + round(re, 0, 1976782, -846154, 1400424, 3937738); + round(re, 1, -1362209, -48306, 3919660, -554416); + round(re, 2, -3545687, 1612842, -976891, 183443); + round(re, 3, -2286327, -420899, -2235985, -2939036); + round(re, 4, -3833893, -260646, -1104333, -1667432); + round(re, 5, 1910376, -1803090, 1723600, -426683); + round(re, 6, 472078, 1717735, -975884, 2213111); + round(re, 7, 269760, 3866901, 3523897, -3038916); + round(re, 8, -1799107, -3694233, 1652634, 810149); + round(re, 9, 3014001, 1616392, 162844, -3183426); + round(re, 10, -1207385, 185531, 3369112, 1957272); + round(re, 11, -164721, 2454455, 2432395, -2013608); + round(re, 12, -3776993, 594136, -3724270, -2584293); + round(re, 13, -1846953, -1671176, -2831860, -542412); + round(re, 14, 3406031, 2235880, 777191, 1500165); + round(re, 15, -1374803, -2546312, 1917081, -1279661); + round(re, 16, -1962642, 3306115, 1312455, -451100); + round(re, 17, -1430225, -3318210, 1237275, -1333058); + round(re, 18, -1050970, 1903435, 1869119, -2994039); + round(re, 19, -3548272, 2635921, 1250494, -3767016); + round(re, 20, 1595974, 2486353, 1247620, 4055324); + round(re, 21, 1265009, -2590150, 2691481, 2842341); + round(re, 22, 203044, 1735879, -3342277, 3437287); + round(re, 23, 4108315, -2437823, 286988, 342297); + round(re, 24, -3595838, -768622, -525098, -3556995); + round(re, 25, 3207046, 2031748, -3122442, -655327); + round(re, 26, -522500, -43260, -1613174, 495491); + round(re, 27, 819034, 909542, 1859098, 900702); + round(re, 28, -3193378, -1197226, -3759364, -3520352); + round(re, 29, 3513181, -1235728, 2434439, 266997); + round(re, 30, -3562462, -2446433, 2244091, -3342478); + round(re, 31, 3817976, 2316500, 3407706, 2091667); } + #[inline(always)] -fn invert_ntt_at_layer_1( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - *zeta_i -= 1; +fn invert_ntt_at_layer_1(re: &mut PolynomialRingElement) { + #[inline(always)] + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + re.simd_units[index] = + SIMDUnit::invert_ntt_at_layer_1(re.simd_units[index], zeta_0, zeta_1); + } - for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) { - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_1( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], - ); - *zeta_i -= 2; + round(re, 0, 3839961, -3628969); + round(re, 1, -3881060, -3019102); + round(re, 2, -1439742, -812732); + round(re, 3, -1584928, 1285669); + round(re, 4, 1341330, 1315589); + round(re, 5, -177440, -2409325); + round(re, 6, -1851402, 3159746); + round(re, 7, -3553272, 189548); + round(re, 8, -1316856, 759969); + round(re, 9, -210977, 2389356); + round(re, 10, -3249728, 1653064); + round(re, 11, -8578, -3724342); + round(re, 12, 3958618, 904516); + round(re, 13, -1100098, 44288); + round(re, 14, 3097992, 508951); + round(re, 15, 264944, -3343383); + round(re, 16, -1430430, 1852771); + round(re, 17, 1349076, -381987); + round(re, 18, -1308169, -22981); + round(re, 19, -1228525, -671102); + round(re, 20, -2477047, -411027); + round(re, 21, -3693493, -2967645); + round(re, 22, 2715295, 2147896); + round(re, 23, -983419, 3412210); + round(re, 24, 126922, -3632928); + round(re, 25, -3157330, -3190144); + round(re, 26, -1000202, -4083598); + round(re, 27, 1939314, -1257611); + round(re, 28, -1585221, 2176455); + round(re, 29, 3475950, -1452451); + round(re, 30, -3041255, -3677745); + round(re, 31, -1528703, -3930395); +} + +#[inline(always)] +fn invert_ntt_at_layer_2(re: &mut PolynomialRingElement) { + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta: i32, + ) { + re.simd_units[index] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[index], zeta); } - *zeta_i += 1; + round(re, 0, -2797779); + round(re, 1, 2071892); + round(re, 2, -2556880); + round(re, 3, 3900724); + round(re, 4, 3881043); + round(re, 5, 954230); + round(re, 6, 531354); + round(re, 7, 811944); + round(re, 8, 3699596); + round(re, 9, -1600420); + round(re, 10, -2140649); + round(re, 11, 3507263); + round(re, 12, -3821735); + round(re, 13, 3505694); + round(re, 14, -1643818); + round(re, 15, -1699267); + round(re, 16, -539299); + round(re, 17, 2348700); + round(re, 18, -300467); + round(re, 19, 3539968); + round(re, 20, -2867647); + round(re, 21, 3574422); + round(re, 22, -3043716); + round(re, 23, -3861115); + round(re, 24, 3915439); + round(re, 25, -2537516); + round(re, 26, -3592148); + round(re, 27, -1661693); + round(re, 28, 3530437); + round(re, 29, 3077325); + round(re, 30, 95776); + round(re, 31, 2706023); } + #[inline(always)] -fn invert_ntt_at_layer_2( - zeta_i: &mut usize, +fn outer_3_plus< + SIMDUnit: Operations, + const OFFSET: usize, + const STEP_BY: usize, + const ZETA: FieldElementTimesMontgomeryR, +>( re: &mut PolynomialRingElement, ) { - for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) { - *zeta_i -= 1; - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_2( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ); + for j in OFFSET..OFFSET + STEP_BY { + let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + STEP_BY], &re.simd_units[j]); + re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + STEP_BY]); + re.simd_units[j + STEP_BY] = montgomery_multiply_by_fer(a_minus_b, ZETA); } + () } + #[inline(always)] -fn invert_ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - let step = 1 << LAYER; +fn invert_ntt_at_layer_3(re: &mut PolynomialRingElement) { + const STEP: usize = 8; // 1 << LAYER; + const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; - for round in 0..(128 >> LAYER) { - *zeta_i -= 1; + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::( + re, + ); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::( + re, + ); + outer_3_plus::(re); + outer_3_plus::(re); +} - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; +#[inline(always)] +fn invert_ntt_at_layer_4(re: &mut PolynomialRingElement) { + const STEP: usize = 16; // 1 << LAYER; + const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; - for j in offset..offset + step_by { - let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + step_by], &re.simd_units[j]); - re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + step_by]); - re.simd_units[j + step_by] = - montgomery_multiply_by_fer(a_minus_b, ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); - } - } + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_5(re: &mut PolynomialRingElement) { + const STEP: usize = 32; // 1 << LAYER; + const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_6(re: &mut PolynomialRingElement) { + const STEP: usize = 64; // 1 << LAYER; + const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_7(re: &mut PolynomialRingElement) { + const STEP: usize = 128; // 1 << LAYER; + const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); } #[inline(always)] pub(crate) fn invert_ntt_montgomery( mut re: PolynomialRingElement, ) -> PolynomialRingElement { - let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT; - - invert_ntt_at_layer_0(&mut zeta_i, &mut re); - invert_ntt_at_layer_1(&mut zeta_i, &mut re); - invert_ntt_at_layer_2(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); + invert_ntt_at_layer_0(&mut re); + invert_ntt_at_layer_1(&mut re); + invert_ntt_at_layer_2(&mut re); + invert_ntt_at_layer_3(&mut re); + invert_ntt_at_layer_4(&mut re); + invert_ntt_at_layer_5(&mut re); + invert_ntt_at_layer_6(&mut re); + invert_ntt_at_layer_7(&mut re); for i in 0..re.simd_units.len() { // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index acc135481..0cab00b27 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -44,7 +44,7 @@ impl PolynomialRingElement { let mut exceeds = false; for simd_unit in self.simd_units { - exceeds |= SIMDUnit::infinity_norm_exceeds(simd_unit, bound); + exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(simd_unit, bound); } exceeds diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index e21e412c2..06855c0f9 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -5,7 +5,9 @@ //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. use crate::{ - constants::CONTEXT_MAX_LEN, hash_functions::shake128::Xof, SigningError, VerificationError, + constants::CONTEXT_MAX_LEN, + hash_functions::shake128::Xof, + types::{SigningError, VerificationError}, }; pub(crate) const PRE_HASH_OID_LEN: usize = 11; diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index dfbb5b554..99e7d33f2 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -251,8 +251,8 @@ pub(crate) fn sample_four_error_ring_elements< seed3[64] = domain_separator3 as u8; seed3[65] = (domain_separator3 >> 8) as u8; - let mut state = Shake256::init_absorb(&seed0, &seed1, &seed2, &seed3); - let randomnesses = state.squeeze_first_block(); + let mut state = Shake256::init_absorb_x4(&seed0, &seed1, &seed2, &seed3); + let randomnesses = state.squeeze_first_block_x4(); // Every call to |rejection_sample_less_than_field_modulus| // will result in a call to |SIMDUnit::rejection_sample_less_than_field_modulus|; @@ -283,7 +283,7 @@ pub(crate) fn sample_four_error_ring_elements< while !done0 || !done1 || !done2 || !done3 { // Always sample another 4, but we only use it if we actually need it. - let randomnesses = state.squeeze_next_block(); + let randomnesses = state.squeeze_next_block_x4(); if !done0 { done0 = rejection_sample_less_than_eta::( &randomnesses.0, @@ -322,6 +322,7 @@ pub(crate) fn sample_four_error_ring_elements< ) } +#[inline(always)] fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { seed[64] = *domain_separator as u8; seed[65] = (*domain_separator >> 8) as u8; @@ -380,7 +381,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 576]; let mut out2 = [0; 576]; let mut out3 = [0; 576]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); @@ -393,7 +394,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 640]; let mut out2 = [0; 640]; let mut out3 = [0; 640]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 1173c0abf..918deb8ce 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -10,6 +10,22 @@ fn generate_domain_separator(row: u8, column: u8) -> u16 { (column as u16) | ((row as u16) << 8) } +// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* +// https://github.com/hacspec/hax/issues/1098 +// So we are instead using a matrix abstraction with a custom update function here. + +type Matrix = + [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; + +fn update_matrix( + m: &mut Matrix, + i: usize, + j: usize, + v: PolynomialRingElement, +) { + m[i][j] = v; +} + #[allow(non_snake_case)] #[inline(always)] pub(crate) fn matrix_A_4_by_4< @@ -19,8 +35,9 @@ pub(crate) fn matrix_A_4_by_4< const COLUMNS_IN_A: usize, >( seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; +) -> Matrix { + let mut A: Matrix = + [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; let four_ring_elements = sample_four_ring_elements::( seed, @@ -29,10 +46,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -41,10 +58,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(1, 2), generate_domain_separator(1, 3), ); - A[1][0] = four_ring_elements.0; - A[1][1] = four_ring_elements.1; - A[1][2] = four_ring_elements.2; - A[1][3] = four_ring_elements.3; + update_matrix(&mut A, 1, 0, four_ring_elements.0); + update_matrix(&mut A, 1, 1, four_ring_elements.1); + update_matrix(&mut A, 1, 2, four_ring_elements.2); + update_matrix(&mut A, 1, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -53,10 +70,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(2, 2), generate_domain_separator(2, 3), ); - A[2][0] = four_ring_elements.0; - A[2][1] = four_ring_elements.1; - A[2][2] = four_ring_elements.2; - A[2][3] = four_ring_elements.3; + update_matrix(&mut A, 2, 0, four_ring_elements.0); + update_matrix(&mut A, 2, 1, four_ring_elements.1); + update_matrix(&mut A, 2, 2, four_ring_elements.2); + update_matrix(&mut A, 2, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -65,10 +82,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(3, 2), generate_domain_separator(3, 3), ); - A[3][0] = four_ring_elements.0; - A[3][1] = four_ring_elements.1; - A[3][2] = four_ring_elements.2; - A[3][3] = four_ring_elements.3; + update_matrix(&mut A, 3, 0, four_ring_elements.0); + update_matrix(&mut A, 3, 1, four_ring_elements.1); + update_matrix(&mut A, 3, 2, four_ring_elements.2); + update_matrix(&mut A, 3, 3, four_ring_elements.3); A } @@ -92,10 +109,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -104,10 +121,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(1, 1), generate_domain_separator(1, 2), ); - A[0][4] = four_ring_elements.0; - A[1][0] = four_ring_elements.1; - A[1][1] = four_ring_elements.2; - A[1][2] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 1, 0, four_ring_elements.1); + update_matrix(&mut A, 1, 1, four_ring_elements.2); + update_matrix(&mut A, 1, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -116,10 +133,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][3] = four_ring_elements.0; - A[1][4] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 3, four_ring_elements.0); + update_matrix(&mut A, 1, 4, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -128,10 +145,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 4), generate_domain_separator(3, 0), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[3][0] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 3, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -140,10 +157,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(3, 3), generate_domain_separator(3, 4), ); - A[3][1] = four_ring_elements.0; - A[3][2] = four_ring_elements.1; - A[3][3] = four_ring_elements.2; - A[3][4] = four_ring_elements.3; + update_matrix(&mut A, 3, 1, four_ring_elements.0); + update_matrix(&mut A, 3, 2, four_ring_elements.1); + update_matrix(&mut A, 3, 3, four_ring_elements.2); + update_matrix(&mut A, 3, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -152,10 +169,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -164,10 +181,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 1), generate_domain_separator(5, 2), ); - A[4][4] = four_ring_elements.0; - A[5][0] = four_ring_elements.1; - A[5][1] = four_ring_elements.2; - A[5][2] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 5, 0, four_ring_elements.1); + update_matrix(&mut A, 5, 1, four_ring_elements.2); + update_matrix(&mut A, 5, 2, four_ring_elements.3); // The the last 2 sampled ring elements are discarded here. let four_ring_elements = sample_four_ring_elements::( @@ -177,8 +194,8 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 5), generate_domain_separator(5, 6), ); - A[5][3] = four_ring_elements.0; - A[5][4] = four_ring_elements.1; + update_matrix(&mut A, 5, 3, four_ring_elements.0); + update_matrix(&mut A, 5, 4, four_ring_elements.1); A } @@ -201,10 +218,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -213,10 +230,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 6), generate_domain_separator(1, 0), ); - A[0][4] = four_ring_elements.0; - A[0][5] = four_ring_elements.1; - A[0][6] = four_ring_elements.2; - A[1][0] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 0, 5, four_ring_elements.1); + update_matrix(&mut A, 0, 6, four_ring_elements.2); + update_matrix(&mut A, 1, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -225,10 +242,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(1, 3), generate_domain_separator(1, 4), ); - A[1][1] = four_ring_elements.0; - A[1][2] = four_ring_elements.1; - A[1][3] = four_ring_elements.2; - A[1][4] = four_ring_elements.3; + update_matrix(&mut A, 1, 1, four_ring_elements.0); + update_matrix(&mut A, 1, 2, four_ring_elements.1); + update_matrix(&mut A, 1, 3, four_ring_elements.2); + update_matrix(&mut A, 1, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -237,10 +254,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][5] = four_ring_elements.0; - A[1][6] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 5, four_ring_elements.0); + update_matrix(&mut A, 1, 6, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -249,10 +266,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 4), generate_domain_separator(2, 5), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[2][5] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 2, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -261,10 +278,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 1), generate_domain_separator(3, 2), ); - A[2][6] = four_ring_elements.0; - A[3][0] = four_ring_elements.1; - A[3][1] = four_ring_elements.2; - A[3][2] = four_ring_elements.3; + update_matrix(&mut A, 2, 6, four_ring_elements.0); + update_matrix(&mut A, 3, 0, four_ring_elements.1); + update_matrix(&mut A, 3, 1, four_ring_elements.2); + update_matrix(&mut A, 3, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -273,10 +290,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 5), generate_domain_separator(3, 6), ); - A[3][3] = four_ring_elements.0; - A[3][4] = four_ring_elements.1; - A[3][5] = four_ring_elements.2; - A[3][6] = four_ring_elements.3; + update_matrix(&mut A, 3, 3, four_ring_elements.0); + update_matrix(&mut A, 3, 4, four_ring_elements.1); + update_matrix(&mut A, 3, 5, four_ring_elements.2); + update_matrix(&mut A, 3, 6, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -285,10 +302,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -297,10 +314,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 6), generate_domain_separator(5, 0), ); - A[4][4] = four_ring_elements.0; - A[4][5] = four_ring_elements.1; - A[4][6] = four_ring_elements.2; - A[5][0] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 4, 5, four_ring_elements.1); + update_matrix(&mut A, 4, 6, four_ring_elements.2); + update_matrix(&mut A, 5, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -309,10 +326,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(5, 3), generate_domain_separator(5, 4), ); - A[5][1] = four_ring_elements.0; - A[5][2] = four_ring_elements.1; - A[5][3] = four_ring_elements.2; - A[5][4] = four_ring_elements.3; + update_matrix(&mut A, 5, 1, four_ring_elements.0); + update_matrix(&mut A, 5, 2, four_ring_elements.1); + update_matrix(&mut A, 5, 3, four_ring_elements.2); + update_matrix(&mut A, 5, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -321,10 +338,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 0), generate_domain_separator(6, 1), ); - A[5][5] = four_ring_elements.0; - A[5][6] = four_ring_elements.1; - A[6][0] = four_ring_elements.2; - A[6][1] = four_ring_elements.3; + update_matrix(&mut A, 5, 5, four_ring_elements.0); + update_matrix(&mut A, 5, 6, four_ring_elements.1); + update_matrix(&mut A, 6, 0, four_ring_elements.2); + update_matrix(&mut A, 6, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -333,10 +350,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 4), generate_domain_separator(6, 5), ); - A[6][2] = four_ring_elements.0; - A[6][3] = four_ring_elements.1; - A[6][4] = four_ring_elements.2; - A[6][5] = four_ring_elements.3; + update_matrix(&mut A, 6, 2, four_ring_elements.0); + update_matrix(&mut A, 6, 3, four_ring_elements.1); + update_matrix(&mut A, 6, 4, four_ring_elements.2); + update_matrix(&mut A, 6, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -345,10 +362,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 1), generate_domain_separator(7, 2), ); - A[6][6] = four_ring_elements.0; - A[7][0] = four_ring_elements.1; - A[7][1] = four_ring_elements.2; - A[7][2] = four_ring_elements.3; + update_matrix(&mut A, 6, 6, four_ring_elements.0); + update_matrix(&mut A, 7, 0, four_ring_elements.1); + update_matrix(&mut A, 7, 1, four_ring_elements.2); + update_matrix(&mut A, 7, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -357,10 +374,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 5), generate_domain_separator(7, 6), ); - A[7][3] = four_ring_elements.0; - A[7][4] = four_ring_elements.1; - A[7][5] = four_ring_elements.2; - A[7][6] = four_ring_elements.3; + update_matrix(&mut A, 7, 3, four_ring_elements.0); + update_matrix(&mut A, 7, 4, four_ring_elements.1); + update_matrix(&mut A, 7, 5, four_ring_elements.2); + update_matrix(&mut A, 7, 6, four_ring_elements.3); A } diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 7228eefe2..376602844 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -3,3 +3,6 @@ pub(crate) mod avx2; pub(crate) mod portable; pub(crate) mod traits; + +#[cfg(test)] +pub(crate) mod tests; diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 82192638a..608f37add 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,129 +1,142 @@ use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; -use libcrux_intrinsics; mod arithmetic; mod encoding; mod ntt; mod rejection_sample; +mod vector_type; -#[derive(Clone, Copy)] -pub struct AVX2SIMDUnit { - pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, -} - -impl From for AVX2SIMDUnit { - fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { - Self { coefficients } - } -} +pub(crate) use vector_type::AVX2SIMDUnit; impl Operations for AVX2SIMDUnit { + #[inline(always)] fn ZERO() -> Self { - libcrux_intrinsics::avx2::mm256_setzero_si256().into() + vector_type::ZERO() } + #[inline(always)] fn from_coefficient_array(coefficient_array: &[i32]) -> Self { - libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() + vector_type::from_coefficient_array(coefficient_array) } + #[inline(always)] fn to_coefficient_array(&self) -> [i32; 8] { - let mut coefficient_array = [0i32; 8]; - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, self.coefficients); - - coefficient_array + vector_type::to_coefficient_array(&self) } - + #[inline(always)] fn add(lhs: &Self, rhs: &Self) -> Self { arithmetic::add(lhs.coefficients, rhs.coefficients).into() } - + #[inline(always)] fn subtract(lhs: &Self, rhs: &Self) -> Self { arithmetic::subtract(lhs.coefficients, rhs.coefficients).into() } - + #[inline(always)] fn montgomery_multiply_by_constant(simd_unit: Self, constant: i32) -> Self { arithmetic::montgomery_multiply_by_constant(simd_unit.coefficients, constant).into() } + #[inline(always)] fn montgomery_multiply(lhs: Self, rhs: Self) -> Self { arithmetic::montgomery_multiply(lhs.coefficients, rhs.coefficients).into() } + #[inline(always)] fn shift_left_then_reduce(simd_unit: Self) -> Self { arithmetic::shift_left_then_reduce::(simd_unit.coefficients).into() } + #[inline(always)] fn power2round(simd_unit: Self) -> (Self, Self) { let (lower, upper) = arithmetic::power2round(simd_unit.coefficients); (lower.into(), upper.into()) } + #[inline(always)] fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool { arithmetic::infinity_norm_exceeds(simd_unit.coefficients, bound) } + #[inline(always)] fn decompose(simd_unit: Self) -> (Self, Self) { let (lower, upper) = arithmetic::decompose::(simd_unit.coefficients); (lower.into(), upper.into()) } + #[inline(always)] fn compute_hint(low: Self, high: Self) -> (usize, Self) { let (count, hint) = arithmetic::compute_hint::(low.coefficients, high.coefficients); (count, hint.into()) } + #[inline(always)] fn use_hint(simd_unit: Self, hint: Self) -> Self { arithmetic::use_hint::(simd_unit.coefficients, hint.coefficients).into() } + #[inline(always)] fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_field_modulus::sample(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<2>(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<4>(randomness, out) } + #[inline(always)] fn gamma1_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::gamma1::serialize::(simd_unit.coefficients) } + #[inline(always)] fn gamma1_deserialize(serialized: &[u8]) -> Self { encoding::gamma1::deserialize::(serialized).into() } + #[inline(always)] fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::commitment::serialize::(simd_unit.coefficients) } + #[inline(always)] fn error_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::error::serialize::(simd_unit.coefficients) } + #[inline(always)] fn error_deserialize(serialized: &[u8]) -> Self { encoding::error::deserialize::(serialized).into() } + #[inline(always)] fn t0_serialize(simd_unit: Self) -> [u8; 13] { encoding::t0::serialize(simd_unit.coefficients) } + #[inline(always)] fn t0_deserialize(serialized: &[u8]) -> Self { encoding::t0::deserialize(serialized).into() } + #[inline(always)] fn t1_serialize(simd_unit: Self) -> [u8; 10] { encoding::t1::serialize(simd_unit.coefficients) } + #[inline(always)] fn t1_deserialize(serialized: &[u8]) -> Self { encoding::t1::deserialize(serialized).into() } + #[inline(always)] fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { let result = ntt::ntt(simd_units.map(|x| x.coefficients)); result.map(|x| x.into()) } + #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_0( simd_unit: Self, zeta0: i32, @@ -131,12 +144,20 @@ impl Operations for AVX2SIMDUnit { zeta2: i32, zeta3: i32, ) -> Self { - ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into() + unsafe { + ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into() + } } + + #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_1(simd_unit: Self, zeta0: i32, zeta1: i32) -> Self { - ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() + unsafe { ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() } } + + #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_2(simd_unit: Self, zeta: i32) -> Self { - ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() + unsafe { ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() } } } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index c6f302155..cb84a2933 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -1,7 +1,5 @@ use super::arithmetic; -use crate::simd::traits::{ - COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, -}; +use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; use libcrux_intrinsics::avx2::*; @@ -102,8 +100,9 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) (a_out, b_out) } -#[inline(always)] -pub fn invert_ntt_at_layer_0( +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_0( simd_unit: Vec256, zeta0: i32, zeta1: i32, @@ -123,33 +122,91 @@ pub fn invert_ntt_at_layer_0( mm256_blend_epi32::<0b1_0_1_0_1_0_1_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; - for round in (0..re.len()).step_by(2) { +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + zeta_4: i32, + zeta_5: i32, + zeta_6: i32, + zeta_7: i32, + ) { let (a, b) = butterfly_2( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 4], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 5], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 6], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 7], + re[index], + re[index + 1], + zeta_0, + zeta_1, + zeta_2, + zeta_3, + zeta_4, + zeta_5, + zeta_6, + zeta_7, ); - re[round] = a; - re[round + 1] = b; - - *zeta_i += 8; + re[index] = a; + re[index + 1] = b; } - *zeta_i -= 1; + round( + re, 0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, + ); + round( + re, 2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, + ); + round( + re, 4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, + ); + round( + re, 6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, + ); + round( + re, 8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, + ); + round( + re, 10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, + ); + round( + re, 12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, + ); + round( + re, 14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, + ); + round( + re, 16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, + ); + round( + re, 18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, + ); + round( + re, 20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, + ); + round( + re, 22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, + ); + round( + re, 24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, + ); + round( + re, 26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, + ); + round( + re, 28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, + ); + round( + re, 30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782, + ); } -#[inline(always)] -pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 { +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta1, zeta1, 0, 0, zeta0, zeta0, 0, 0); let add_by_signs = mm256_set_epi32(-1, -1, 1, 1, -1, -1, 1, 1); @@ -163,29 +220,44 @@ pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec25 mm256_blend_epi32::<0b1_1_0_0_1_1_0_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; - for round in (0..re.len()).step_by(2) { - let (a, b) = butterfly_4( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ); - re[round] = a; - re[round + 1] = b; - - *zeta_i += 4; +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + let (a, b) = butterfly_4(re[index], re[index + 1], zeta_0, zeta_1, zeta_2, zeta_3); + re[index] = a; + re[index + 1] = b; } - *zeta_i -= 1; + round(re, 0, -3930395, -1528703, -3677745, -3041255); + round(re, 2, -1452451, 3475950, 2176455, -1585221); + round(re, 4, -1257611, 1939314, -4083598, -1000202); + round(re, 6, -3190144, -3157330, -3632928, 126922); + round(re, 8, 3412210, -983419, 2147896, 2715295); + round(re, 10, -2967645, -3693493, -411027, -2477047); + round(re, 12, -671102, -1228525, -22981, -1308169); + round(re, 14, -381987, 1349076, 1852771, -1430430); + round(re, 16, -3343383, 264944, 508951, 3097992); + round(re, 18, 44288, -1100098, 904516, 3958618); + round(re, 20, -3724342, -8578, 1653064, -3249728); + round(re, 22, 2389356, -210977, 759969, -1316856); + round(re, 24, 189548, -3553272, 3159746, -1851402); + round(re, 26, -2409325, -177440, 1315589, 1341330); + round(re, 28, 1285669, -1584928, -812732, -1439742); + round(re, 30, -3019102, -3881060, -3628969, 3839961); } -#[inline(always)] -pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta, zeta, zeta, zeta, 0, 0, 0, 0); let add_by_signs = mm256_set_epi32(-1, -1, -1, -1, 1, 1, 1, 1); @@ -199,61 +271,235 @@ pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { mm256_blend_epi32::<0b1_1_1_1_0_0_0_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - for round in (0..re.len()).step_by(2) { - *zeta_i += 1; - let (a, b) = butterfly_8( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + let (a, b) = butterfly_8(re[index], re[index + 1], zeta_0, zeta_1); + re[index] = a; + re[index + 1] = b; + } + + round(re, 0, 2706023, 95776); + round(re, 2, 3077325, 3530437); + round(re, 4, -1661693, -3592148); + round(re, 6, -2537516, 3915439); + round(re, 8, -3861115, -3043716); + round(re, 10, 3574422, -2867647); + round(re, 12, 3539968, -300467); + round(re, 14, 2348700, -539299); + round(re, 16, -1699267, -1643818); + round(re, 18, 3505694, -3821735); + round(re, 20, 3507263, -2140649); + round(re, 22, -1600420, 3699596); + round(re, 24, 811944, 531354); + round(re, 26, 954230, 3881043); + round(re, 28, 3900724, -2556880); + round(re, 30, 2071892, -2797779); +} + +/// This is equivalent to the pqclean 0 and 1 +/// +/// This does 32 Montgomery multiplications (192 multiplications). +/// This is the same as in pqclean. The only difference is locality of registers. +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS); + let inverse_of_modulus_mod_montgomery_r = + mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); + + #[inline(always)] + fn mul( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta: Vec256, + step_by: usize, + field_modulus: Vec256, + inverse_of_modulus_mod_montgomery_r: Vec256, + ) { + let prod02 = mm256_mul_epi32(re[index + step_by], zeta); + let prod13 = mm256_mul_epi32( + mm256_shuffle_epi32::<0b11_11_01_01>(re[index + step_by]), // 0xF5 + mm256_shuffle_epi32::<0b11_11_01_01>(zeta), // 0xF5 ); - re[round] = a; - re[round + 1] = b; + let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); + let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); + + let c02 = mm256_mul_epi32(k02, field_modulus); + let c13 = mm256_mul_epi32(k13, field_modulus); + + let res02 = mm256_sub_epi32(prod02, c02); + let res13 = mm256_sub_epi32(prod13, c13); + let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 + let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA - *zeta_i += 1; + re[index + step_by] = arithmetic::subtract(re[index], t); + re[index] = arithmetic::add(re[index], t); } -} -#[inline(always)] -fn ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], -) { - let step = 1 << LAYER; - - for round in 0..(128 >> LAYER) { - *zeta_i += 1; - - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; - - for j in offset..offset + step_by { - let t = arithmetic::montgomery_multiply_by_constant( - re[j + step_by], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + macro_rules! layer { + ($start:literal, $zeta:expr, $step_by:expr) => {{ + mul( + re, + $start, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + mul( + re, + $start + 1, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, ); + mul( + re, + $start + 2, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + mul( + re, + $start + 3, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + }}; + } - re[j + step_by] = arithmetic::subtract(re[j], t); + const STEP_BY_7: usize = 2 * COEFFICIENTS_IN_SIMD_UNIT; + const STEP_BY_6: usize = (1 << 6) / COEFFICIENTS_IN_SIMD_UNIT; + + let zeta7 = mm256_set1_epi32(25847); + let zeta60 = mm256_set1_epi32(-2608894); + let zeta61 = mm256_set1_epi32(-518909); + + layer!(0, zeta7, STEP_BY_7); + layer!(8, zeta7, STEP_BY_7); + layer!(0, zeta60, STEP_BY_6); + layer!(16, zeta61, STEP_BY_6); + + layer!(4, zeta7, STEP_BY_7); + layer!(12, zeta7, STEP_BY_7); + layer!(4, zeta60, STEP_BY_6); + layer!(20, zeta61, STEP_BY_6); +} + +/// Layer 5, 4, 3 +/// +/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total +/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta: i32, + ) { + let rhs = mm256_set1_epi32(zeta); + let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; + + for j in offset..offset + STEP_BY { + let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs); + + re[j + STEP_BY] = arithmetic::subtract(re[j], t); re[j] = arithmetic::add(re[j], t); } + () // Needed because of https://github.com/hacspec/hax/issues/720 + } + + // Layer 5 + { + // 0: 0, 1, 2, 3 + // 1: 8, 9, 10, 11 + // 2: 16, 17, 18, 19 + // 3: 24, 25, 26, 27 + const STEP: usize = 1 << 5; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round::(re, 0, 237124); + round::(re, 1, -777960); + round::(re, 2, -876248); + round::(re, 3, 466468); + } + + // Layer 4 + { + // 0: 0, 1 + // 1: 4, 5 + // 2: 8, 9 + // 3: 12, 13 + // 4: 16, 17 + // 5: 20, 21 + // 6: 24, 25 + // 7: 28, 29 + const STEP: usize = 1 << 4; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round::(re, 0, 1826347); + round::(re, 1, 2353451); + round::(re, 2, -359251); + round::(re, 3, -2091905); + round::(re, 4, 3119733); + round::(re, 5, -2884855); + round::(re, 6, 3111497); + round::(re, 7, 2680103); } + + // Layer 3 + { + // 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 + const STEP: usize = 1 << 3; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round::(re, 0, 2725464); + round::(re, 1, 1024112); + round::(re, 2, -1079900); + round::(re, 3, 3585928); + round::(re, 4, -549488); + round::(re, 5, -1119584); + round::(re, 6, 2619752); + round::(re, 7, -2108549); + round::(re, 8, -2118186); + round::(re, 9, -3859737); + round::(re, 10, -1399561); + round::(re, 11, -3277672); + round::(re, 12, 1757237); + round::(re, 13, -19422); + round::(re, 14, 4010497); + round::(re, 15, 280005); + } + () } +#[allow(unsafe_code)] #[inline(always)] pub(crate) fn ntt( mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { - let mut zeta_i = 0; - ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re); - ntt_at_layer_2(&mut zeta_i, &mut re); - ntt_at_layer_1(&mut zeta_i, &mut re); - ntt_at_layer_0(&mut zeta_i, &mut re); + unsafe { + ntt_at_layer_7_and_6(&mut re); + ntt_at_layer_5_to_3(&mut re); + ntt_at_layer_2(&mut re); + ntt_at_layer_1(&mut re); + ntt_at_layer_0(&mut re); + } re } diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs new file mode 100644 index 000000000..13fa15372 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -0,0 +1,25 @@ +#[derive(Clone, Copy)] +pub struct AVX2SIMDUnit { + pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, +} + +impl From for AVX2SIMDUnit { + fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { + Self { coefficients } + } +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_setzero_si256().into() +} + +pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() +} + +pub(crate) fn to_coefficient_array(x: &AVX2SIMDUnit) -> [i32; 8] { + let mut coefficient_array = [0i32; 8]; + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, x.coefficients); + coefficient_array +} diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 05098b5c7..d45daf829 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,34 +1,26 @@ -use crate::simd::traits::{Operations, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; mod arithmetic; - +mod vector_type; // Some of the portable implementations are used in lieu of vectorized ones in // the AVX2 module. pub(crate) mod encoding; - mod ntt; mod sample; -#[derive(Clone, Copy)] -pub struct PortableSIMDUnit { - pub(crate) coefficients: [arithmetic::FieldElement; COEFFICIENTS_IN_SIMD_UNIT], -} +pub(crate) use vector_type::PortableSIMDUnit; impl Operations for PortableSIMDUnit { fn ZERO() -> Self { - PortableSIMDUnit { - coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], - } + vector_type::ZERO() } fn from_coefficient_array(array: &[i32]) -> Self { - PortableSIMDUnit { - coefficients: array[0..8].try_into().unwrap(), - } + vector_type::from_coefficient_array(array) } fn to_coefficient_array(&self) -> [i32; 8] { - self.coefficients.try_into().unwrap() + vector_type::to_coefficient_array(&self) } fn add(lhs: &Self, rhs: &Self) -> Self { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 1785d108e..51e009243 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,18 +1,11 @@ +use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, - simd::{ - portable::PortableSIMDUnit, - traits::{ - FieldElementTimesMontgomeryR, Operations, FIELD_MODULUS, - INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, - }, + simd::traits::{ + FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, }; -/// Values having this type hold a representative 'x' of the Kyber field. -/// We use 'fe' as a shorthand for this type. -pub(crate) type FieldElement = i32; - /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). /// We use 'mfe' as a shorthand for this type @@ -22,7 +15,7 @@ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut sum = PortableSIMDUnit::ZERO(); + let mut sum = ZERO(); for i in 0..sum.coefficients.len() { sum.coefficients[i] = lhs.coefficients[i] + rhs.coefficients[i]; @@ -33,7 +26,7 @@ pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { #[inline(always)] pub fn subtract(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut difference = PortableSIMDUnit::ZERO(); + let mut difference = ZERO(); for i in 0..difference.coefficients.len() { difference.coefficients[i] = lhs.coefficients[i] - rhs.coefficients[i]; @@ -86,7 +79,7 @@ pub(crate) fn montgomery_multiply( lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut product = PortableSIMDUnit::ZERO(); + let mut product = ZERO(); for i in 0..product.coefficients.len() { product.coefficients[i] = @@ -106,7 +99,8 @@ pub(crate) fn montgomery_multiply( // to the standard unsigned range. #[inline(always)] fn power2round_element(t: i32) -> (i32, i32) { - debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS, "t is {}", t); + // Hax issue: https://github.com/hacspec/hax/issues/1082 + debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let t = t + ((t >> 31) & FIELD_MODULUS); @@ -123,8 +117,8 @@ fn power2round_element(t: i32) -> (i32, i32) { } pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut t0_simd_unit = PortableSIMDUnit::ZERO(); - let mut t1_simd_unit = PortableSIMDUnit::ZERO(); + let mut t0_simd_unit = ZERO(); + let mut t1_simd_unit = ZERO(); for (i, t) in simd_unit.coefficients.into_iter().enumerate() { let (t0, t1) = power2round_element(t); @@ -150,11 +144,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // straightforward way to do so (returning false) will not go through hax; // revisit if performance is impacted. for coefficient in simd_unit.coefficients.into_iter() { - debug_assert!( - coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS, - "coefficient is {}", - coefficient - ); + debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); // This norm is calculated using the absolute value of the // signed representative in the range: // @@ -165,7 +155,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { let sign = coefficient >> 31; let normalized = coefficient - (sign & (2 * coefficient)); - exceeds |= normalized >= bound; + exceeds = exceeds || normalized >= bound; } exceeds @@ -182,7 +172,7 @@ fn reduce_element(fe: FieldElement) -> FieldElement { pub fn shift_left_then_reduce( simd_unit: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut out = PortableSIMDUnit::ZERO(); + let mut out = ZERO(); for i in 0..simd_unit.coefficients.len() { out.coefficients[i] = reduce_element(simd_unit.coefficients[i] << SHIFT_BY); @@ -205,7 +195,7 @@ pub fn compute_hint( low: PortableSIMDUnit, high: PortableSIMDUnit, ) -> (usize, PortableSIMDUnit) { - let mut hint = PortableSIMDUnit::ZERO(); + let mut hint = ZERO(); let mut one_hints_count = 0; for i in 0..hint.coefficients.len() { @@ -234,11 +224,7 @@ pub fn compute_hint( #[allow(non_snake_case)] #[inline(always)] fn decompose_element(r: i32) -> (i32, i32) { - debug_assert!( - r > -FIELD_MODULUS && r < FIELD_MODULUS, - "the representative is {}", - r - ); + debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); @@ -319,8 +305,8 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { pub fn decompose( simd_unit: PortableSIMDUnit, ) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut low = PortableSIMDUnit::ZERO(); - let mut high = PortableSIMDUnit::ZERO(); + let mut low = ZERO(); + let mut high = ZERO(); for i in 0..low.coefficients.len() { let (low_part, high_part) = decompose_element::(simd_unit.coefficients[i]); @@ -336,7 +322,7 @@ pub fn use_hint( simd_unit: PortableSIMDUnit, hint: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut result = PortableSIMDUnit::ZERO(); + let mut result = ZERO(); for i in 0..result.coefficients.len() { result.coefficients[i] = diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index c6886ba50..6ffafe423 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -1,4 +1,4 @@ -use crate::simd::portable::PortableSIMDUnit; +use super::super::vector_type::PortableSIMDUnit; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; OUTPUT_SIZE] { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index d7878fbc8..5581cc2a4 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,4 +1,4 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] fn serialize_when_eta_is_2( @@ -54,7 +54,7 @@ pub(crate) fn serialize( fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 3); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 2; let byte0 = serialized[0] as i32; @@ -76,7 +76,7 @@ fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 4); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 4; for (i, byte) in serialized.iter().enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index eabb2fd81..3dbb5f20a 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,5 +1,4 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; - +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // This function is marked public since it is called in the corresponding AVX2 code. #[inline(always)] pub fn serialize_when_gamma1_is_2_pow_17( @@ -37,6 +36,7 @@ pub fn serialize_when_gamma1_is_2_pow_17( serialized } + #[inline(always)] fn serialize_when_gamma1_is_2_pow_19( simd_unit: PortableSIMDUnit, @@ -81,33 +81,33 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 17; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(9).enumerate() { - simd_unit.coefficients[4 * i] = bytes[0] as i32; - simd_unit.coefficients[4 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[4 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[4 * i] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 1] = (bytes[2] as i32) >> 2; - simd_unit.coefficients[4 * i + 1] |= (bytes[3] as i32) << 6; - simd_unit.coefficients[4 * i + 1] |= (bytes[4] as i32) << 14; - simd_unit.coefficients[4 * i + 1] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 2] = (bytes[4] as i32) >> 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[5] as i32) << 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[6] as i32) << 12; - simd_unit.coefficients[4 * i + 2] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 3] = (bytes[6] as i32) >> 6; - simd_unit.coefficients[4 * i + 3] |= (bytes[7] as i32) << 2; - simd_unit.coefficients[4 * i + 3] |= (bytes[8] as i32) << 10; - simd_unit.coefficients[4 * i + 3] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i] = GAMMA1 - simd_unit.coefficients[4 * i]; - simd_unit.coefficients[4 * i + 1] = GAMMA1 - simd_unit.coefficients[4 * i + 1]; - simd_unit.coefficients[4 * i + 2] = GAMMA1 - simd_unit.coefficients[4 * i + 2]; - simd_unit.coefficients[4 * i + 3] = GAMMA1 - simd_unit.coefficients[4 * i + 3]; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient1 = (bytes[2] as i32) >> 2; + coefficient1 |= (bytes[3] as i32) << 6; + coefficient1 |= (bytes[4] as i32) << 14; + coefficient1 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient2 = (bytes[4] as i32) >> 4; + coefficient2 |= (bytes[5] as i32) << 4; + coefficient2 |= (bytes[6] as i32) << 12; + coefficient2 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient3 = (bytes[6] as i32) >> 6; + coefficient3 |= (bytes[7] as i32) << 2; + coefficient3 |= (bytes[8] as i32) << 10; + coefficient3 &= GAMMA1_TIMES_2_BITMASK; + + simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; } simd_unit @@ -121,20 +121,20 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 19; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(5).enumerate() { - simd_unit.coefficients[2 * i] = bytes[0] as i32; - simd_unit.coefficients[2 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[2 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[2 * i] &= GAMMA1_TIMES_2_BITMASK; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; - simd_unit.coefficients[2 * i + 1] = (bytes[2] as i32) >> 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[3] as i32) << 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[4] as i32) << 12; + let mut coefficient1 = (bytes[2] as i32) >> 4; + coefficient1 |= (bytes[3] as i32) << 4; + coefficient1 |= (bytes[4] as i32) << 12; - simd_unit.coefficients[2 * i] = GAMMA1 - simd_unit.coefficients[2 * i]; - simd_unit.coefficients[2 * i + 1] = GAMMA1 - simd_unit.coefficients[2 * i + 1]; + simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; } simd_unit diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index da66b7729..626f14c43 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -1,7 +1,6 @@ -use crate::{ - constants::BITS_IN_LOWER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, -}; +use crate::constants::BITS_IN_LOWER_PART_OF_T; + +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // If t0 is a signed representative, change it to an unsigned one and // vice versa. @@ -63,8 +62,6 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 13); - let mut simd_unit = PortableSIMDUnit::ZERO(); - const BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1 << (BITS_IN_LOWER_PART_OF_T as i32)) - 1; let byte0 = serialized[0] as i32; @@ -81,50 +78,52 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { let byte11 = serialized[11] as i32; let byte12 = serialized[12] as i32; - simd_unit.coefficients[0] = byte0; - simd_unit.coefficients[0] |= byte1 << 8; - simd_unit.coefficients[0] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[1] = byte1 >> 5; - simd_unit.coefficients[1] |= byte2 << 3; - simd_unit.coefficients[1] |= byte3 << 11; - simd_unit.coefficients[1] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[2] = byte3 >> 2; - simd_unit.coefficients[2] |= byte4 << 6; - simd_unit.coefficients[2] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[3] = byte4 >> 7; - simd_unit.coefficients[3] |= byte5 << 1; - simd_unit.coefficients[3] |= byte6 << 9; - simd_unit.coefficients[3] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[4] = byte6 >> 4; - simd_unit.coefficients[4] |= byte7 << 4; - simd_unit.coefficients[4] |= byte8 << 12; - simd_unit.coefficients[4] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[5] = byte8 >> 1; - simd_unit.coefficients[5] |= byte9 << 7; - simd_unit.coefficients[5] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[6] = byte9 >> 6; - simd_unit.coefficients[6] |= byte10 << 2; - simd_unit.coefficients[6] |= byte11 << 10; - simd_unit.coefficients[6] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[7] = byte11 >> 3; - simd_unit.coefficients[7] |= byte12 << 5; - simd_unit.coefficients[7] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[0] = change_t0_interval(simd_unit.coefficients[0]); - simd_unit.coefficients[1] = change_t0_interval(simd_unit.coefficients[1]); - simd_unit.coefficients[2] = change_t0_interval(simd_unit.coefficients[2]); - simd_unit.coefficients[3] = change_t0_interval(simd_unit.coefficients[3]); - simd_unit.coefficients[4] = change_t0_interval(simd_unit.coefficients[4]); - simd_unit.coefficients[5] = change_t0_interval(simd_unit.coefficients[5]); - simd_unit.coefficients[6] = change_t0_interval(simd_unit.coefficients[6]); - simd_unit.coefficients[7] = change_t0_interval(simd_unit.coefficients[7]); + let mut coefficient0 = byte0; + coefficient0 |= byte1 << 8; + coefficient0 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient1 = byte1 >> 5; + coefficient1 |= byte2 << 3; + coefficient1 |= byte3 << 11; + coefficient1 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient2 = byte3 >> 2; + coefficient2 |= byte4 << 6; + coefficient2 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient3 = byte4 >> 7; + coefficient3 |= byte5 << 1; + coefficient3 |= byte6 << 9; + coefficient3 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient4 = byte6 >> 4; + coefficient4 |= byte7 << 4; + coefficient4 |= byte8 << 12; + coefficient4 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient5 = byte8 >> 1; + coefficient5 |= byte9 << 7; + coefficient5 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient6 = byte9 >> 6; + coefficient6 |= byte10 << 2; + coefficient6 |= byte11 << 10; + coefficient6 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient7 = byte11 >> 3; + coefficient7 |= byte12 << 5; + coefficient7 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut simd_unit = ZERO(); + + simd_unit.coefficients[0] = change_t0_interval(coefficient0); + simd_unit.coefficients[1] = change_t0_interval(coefficient1); + simd_unit.coefficients[2] = change_t0_interval(coefficient2); + simd_unit.coefficients[3] = change_t0_interval(coefficient3); + simd_unit.coefficients[4] = change_t0_interval(coefficient4); + simd_unit.coefficients[5] = change_t0_interval(coefficient5); + simd_unit.coefficients[6] = change_t0_interval(coefficient6); + simd_unit.coefficients[7] = change_t0_interval(coefficient7); simd_unit } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 3b8c56515..c0fc9de40 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,7 +1,6 @@ -use crate::{ - constants::BITS_IN_UPPER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, -}; +use crate::constants::BITS_IN_UPPER_PART_OF_T; + +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { @@ -25,7 +24,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 10); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1; for (i, bytes) in serialized.chunks_exact(5).enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index ac40a9c1c..b074ceffb 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,11 +1,8 @@ -use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use crate::simd::{ - portable::PortableSIMDUnit, - traits::{ - montgomery_multiply_by_fer, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, - ZETAS_TIMES_MONTGOMERY_R, - }, +use super::arithmetic::{ + self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer, MontgomeryFieldElement, }; +use super::vector_type::PortableSIMDUnit; +use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] pub fn simd_unit_ntt_at_layer_0( @@ -33,6 +30,7 @@ pub fn simd_unit_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -57,6 +55,7 @@ pub fn simd_unit_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[4], zeta); @@ -104,6 +103,7 @@ pub fn invert_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -128,6 +128,7 @@ pub fn invert_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let a_minus_b = simd_unit.coefficients[4] - simd_unit.coefficients[0]; @@ -150,82 +151,231 @@ pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> Port } #[inline(always)] -fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; +fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + re[index] = simd_unit_ntt_at_layer_0(re[index], zeta_0, zeta_1, zeta_2, zeta_3); + } - for round in 0..re.len() { - re[round] = simd_unit_ntt_at_layer_0( - re[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ); + round(re, 0, 2091667, 3407706, 2316500, 3817976); + round(re, 1, -3342478, 2244091, -2446433, -3562462); + round(re, 2, 266997, 2434439, -1235728, 3513181); + round(re, 3, -3520352, -3759364, -1197226, -3193378); + round(re, 4, 900702, 1859098, 909542, 819034); + round(re, 5, 495491, -1613174, -43260, -522500); + round(re, 6, -655327, -3122442, 2031748, 3207046); + round(re, 7, -3556995, -525098, -768622, -3595838); + round(re, 8, 342297, 286988, -2437823, 4108315); + round(re, 9, 3437287, -3342277, 1735879, 203044); + round(re, 10, 2842341, 2691481, -2590150, 1265009); + round(re, 11, 4055324, 1247620, 2486353, 1595974); + round(re, 12, -3767016, 1250494, 2635921, -3548272); + round(re, 13, -2994039, 1869119, 1903435, -1050970); + round(re, 14, -1333058, 1237275, -3318210, -1430225); + round(re, 15, -451100, 1312455, 3306115, -1962642); + round(re, 16, -1279661, 1917081, -2546312, -1374803); + round(re, 17, 1500165, 777191, 2235880, 3406031); + round(re, 18, -542412, -2831860, -1671176, -1846953); + round(re, 19, -2584293, -3724270, 594136, -3776993); + round(re, 20, -2013608, 2432395, 2454455, -164721); + round(re, 21, 1957272, 3369112, 185531, -1207385); + round(re, 22, -3183426, 162844, 1616392, 3014001); + round(re, 23, 810149, 1652634, -3694233, -1799107); + round(re, 24, -3038916, 3523897, 3866901, 269760); + round(re, 25, 2213111, -975884, 1717735, 472078); + round(re, 26, -426683, 1723600, -1803090, 1910376); + round(re, 27, -1667432, -1104333, -260646, -3833893); + round(re, 28, -2939036, -2235985, -420899, -2286327); + round(re, 29, 183443, -976891, 1612842, -3545687); + round(re, 30, -554416, 3919660, -48306, -1362209); + round(re, 31, 3937738, 1400424, -846154, 1976782); +} - *zeta_i += 4; +#[inline(always)] +fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + re[index] = simd_unit_ntt_at_layer_1(re[index], zeta_0, zeta_1); } - *zeta_i -= 1; + round(re, 0, -3930395, -1528703); + round(re, 1, -3677745, -3041255); + round(re, 2, -1452451, 3475950); + round(re, 3, 2176455, -1585221); + round(re, 4, -1257611, 1939314); + round(re, 5, -4083598, -1000202); + round(re, 6, -3190144, -3157330); + round(re, 7, -3632928, 126922); + round(re, 8, 3412210, -983419); + round(re, 9, 2147896, 2715295); + round(re, 10, -2967645, -3693493); + round(re, 11, -411027, -2477047); + round(re, 12, -671102, -1228525); + round(re, 13, -22981, -1308169); + round(re, 14, -381987, 1349076); + round(re, 15, 1852771, -1430430); + round(re, 16, -3343383, 264944); + round(re, 17, 508951, 3097992); + round(re, 18, 44288, -1100098); + round(re, 19, 904516, 3958618); + round(re, 20, -3724342, -8578); + round(re, 21, 1653064, -3249728); + round(re, 22, 2389356, -210977); + round(re, 23, 759969, -1316856); + round(re, 24, 189548, -3553272); + round(re, 25, 3159746, -1851402); + round(re, 26, -2409325, -177440); + round(re, 27, 1315589, 1341330); + round(re, 28, 1285669, -1584928); + round(re, 29, -812732, -1439742); + round(re, 30, -3019102, -3881060); + round(re, 31, -3628969, 3839961); } + #[inline(always)] -fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; +fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + #[inline(always)] + fn round(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta: i32) { + re[index] = simd_unit_ntt_at_layer_2(re[index], zeta); + } + + round(re, 0, 2706023); + round(re, 1, 95776); + round(re, 2, 3077325); + round(re, 3, 3530437); + round(re, 4, -1661693); + round(re, 5, -3592148); + round(re, 6, -2537516); + round(re, 7, 3915439); + round(re, 8, -3861115); + round(re, 9, -3043716); + round(re, 10, 3574422); + round(re, 11, -2867647); + round(re, 12, 3539968); + round(re, 13, -300467); + round(re, 14, 2348700); + round(re, 15, -539299); + round(re, 16, -1699267); + round(re, 17, -1643818); + round(re, 18, 3505694); + round(re, 19, -3821735); + round(re, 20, 3507263); + round(re, 21, -2140649); + round(re, 22, -1600420); + round(re, 23, 3699596); + round(re, 24, 811944); + round(re, 25, 531354); + round(re, 26, 954230); + round(re, 27, 3881043); + round(re, 28, 3900724); + round(re, 29, -2556880); + round(re, 30, 2071892); + round(re, 31, -2797779); +} - for round in 0..re.len() { - re[round] = simd_unit_ntt_at_layer_1( - re[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ); +#[inline(always)] +fn outer_3_plus( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], +) { + for j in OFFSET..OFFSET + STEP_BY { + let t = montgomery_multiply_by_constant(re[j + STEP_BY], ZETA); - *zeta_i += 2; + re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); + re[j] = arithmetic::add(&re[j], &t); } + () // Needed because of https://github.com/hacspec/hax/issues/720 +} - *zeta_i -= 1; +#[inline(always)] +fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 8; // 1 << LAYER; + const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re); + outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re); + outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(re); + outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re); + outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re); + outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re); + outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re); + outer_3_plus::<{ (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re); + outer_3_plus::<{ (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re); + outer_3_plus::<{ (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re); + outer_3_plus::<{ (13 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -19422>(re); + outer_3_plus::<{ (14 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 4010497>(re); + outer_3_plus::<{ (15 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 280005>(re); } + #[inline(always)] -fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - for round in 0..re.len() { - *zeta_i += 1; - re[round] = simd_unit_ntt_at_layer_2(re[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); - } +fn ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 16; // 1 << LAYER; + const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1826347>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2353451>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -359251>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2091905>(re); + outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3119733>(re); + outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2884855>(re); + outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3111497>(re); + outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2680103>(re); } + #[inline(always)] -fn ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], -) { - let step = 1 << LAYER; +fn ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 32; // 1 << LAYER; + const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 237124>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -777960>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -876248>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 466468>(re); +} - for round in 0..(128 >> LAYER) { - *zeta_i += 1; +#[inline(always)] +fn ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 64; // 1 << LAYER; + const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2608894>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -518909>(re); +} - for j in offset..offset + step_by { - let t = montgomery_multiply_by_fer(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); +#[inline(always)] +fn ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 128; // 1 << LAYER; + const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; - re[j + step_by] = arithmetic::subtract(&re[j], &t); - re[j] = arithmetic::add(&re[j], &t); - } - } + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 25847>(re); } #[inline(always)] pub(crate) fn ntt( mut re: [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], ) -> [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] { - let mut zeta_i = 0; - - ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re); - ntt_at_layer_2(&mut zeta_i, &mut re); - ntt_at_layer_1(&mut zeta_i, &mut re); - ntt_at_layer_0(&mut zeta_i, &mut re); + ntt_at_layer_7(&mut re); + ntt_at_layer_6(&mut re); + ntt_at_layer_5(&mut re); + ntt_at_layer_4(&mut re); + ntt_at_layer_3(&mut re); + ntt_at_layer_2(&mut re); + ntt_at_layer_1(&mut re); + ntt_at_layer_0(&mut re); re } diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs new file mode 100644 index 000000000..3a71624d9 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -0,0 +1,26 @@ +use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; +/// Values having this type hold a representative 'x' of the ML-DSA field. +/// We use 'fe' as a shorthand for this type. +pub(crate) type FieldElement = i32; + +#[derive(Clone, Copy)] +pub struct PortableSIMDUnit { + pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_SIMD_UNIT], +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], + } +} + +pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: array[0..8].try_into().unwrap(), + } +} + +pub(crate) fn to_coefficient_array(x: &PortableSIMDUnit) -> [i32; 8] { + x.coefficients +} diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs new file mode 100644 index 000000000..acd67ac45 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -0,0 +1,94 @@ +use crate::simd::traits::*; + +fn test_decompose_generic() { + // When GAMMA2 = 95,232 + let input = SIMDUnit::from_coefficient_array(&[ + 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); + + let (low, high) = SIMDUnit::decompose::<95_232>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); + + // When GAMMA2 = 261,888 + let input = SIMDUnit::from_coefficient_array(&[ + 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); + + let (low, high) = SIMDUnit::decompose::<261_888>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +fn test_power2round_generic() { + let input = SIMDUnit::from_coefficient_array(&[ + 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, + ]); + + let expected_low = + SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); + let expected_high = SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); + + let (low, high) = SIMDUnit::power2round(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +#[cfg(not(feature = "simd256"))] +mod portable { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} + +#[cfg(feature = "simd256")] +mod avx2 { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 71d7455f1..38715a115 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -14,35 +14,6 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; /// We use 'fer' as a shorthand for this type. pub(crate) type FieldElementTimesMontgomeryR = i32; -pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [ - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, - -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, - -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, - 280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, - -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694, - -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724, - -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, - 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525, - -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992, - 44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, - -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669, - -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500, - 3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352, - -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, - -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, - 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150, - 1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, - 1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, - -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412, - -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455, - -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149, - 1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, - 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036, - -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306, - -1362209, 3937738, 1400424, -846154, 1976782, -]; - pub(crate) trait Operations: Copy + Clone { #[allow(non_snake_case)] fn ZERO() -> Self; @@ -121,102 +92,3 @@ pub(crate) trait Operations: Copy + Clone { pub fn montgomery_multiply_by_fer(simd_unit: S, fer: i32) -> S { S::montgomery_multiply_by_constant(simd_unit, fer) } - -#[cfg(test)] -mod tests { - use super::*; - - fn test_decompose_generic() { - // When GAMMA2 = 95,232 - let input = SIMDUnit::from_coefficient_array(&[ - 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); - - let (low, high) = SIMDUnit::decompose::<95_232>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - - // When GAMMA2 = 261,888 - let input = SIMDUnit::from_coefficient_array(&[ - 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); - - let (low, high) = SIMDUnit::decompose::<261_888>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - fn test_power2round_generic() { - let input = SIMDUnit::from_coefficient_array(&[ - 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, - ]); - - let expected_low = - SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); - let expected_high = - SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); - - let (low, high) = SIMDUnit::power2round(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - #[cfg(not(feature = "simd256"))] - mod portable { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } - - #[cfg(feature = "simd256")] - mod avx2 { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } -} diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index 72c5e1479..d432b1e99 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -33,3 +33,30 @@ pub struct MLDSAKeyPair, pub verification_key: MLDSAVerificationKey, } + +use crate::{constants::*, polynomial::PolynomialRingElement, simd::traits::Operations}; + +pub(crate) struct Signature< + SIMDUnit: Operations, + const COMMITMENT_HASH_SIZE: usize, + const COLUMNS_IN_A: usize, + const ROWS_IN_A: usize, +> { + pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], + pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], + pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], +} + +#[derive(Debug)] +pub enum VerificationError { + MalformedHintError, + SignerResponseExceedsBoundError, + CommitmentHashesDontMatchError, + ContextTooLongError, +} + +#[derive(Debug)] +pub enum SigningError { + RejectionSamplingError, + ContextTooLongError, +} diff --git a/libcrux-ml-dsa/tests/acvp.rs b/libcrux-ml-dsa/tests/acvp.rs index ebdc2ce9f..75f0c1ddf 100644 --- a/libcrux-ml-dsa/tests/acvp.rs +++ b/libcrux-ml-dsa/tests/acvp.rs @@ -63,8 +63,6 @@ struct ResultPromptTestGroup { #[test] fn keygen() { - use libcrux_ml_dsa::*; - let prompts: Prompts = read("keygen", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -83,37 +81,50 @@ fn keygen() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - fn check( - keys: MLDSAKeyPair, - result: &KeyGenResult, - ) { - assert_eq!(result.pk, keys.verification_key.as_slice()); - assert_eq!(result.sk, keys.signing_key.as_slice()); - } - - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - match parameter_set.as_str() { - "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result), - - "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result), - - "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result), - _ => unimplemented!(), - } + keygen_inner(test, &results, kat.tgId, ¶meter_set); } } } +#[inline(never)] +#[allow(non_snake_case)] +fn keygen_inner( + test: KeyGenPrompt, + results: &Results, + tgId: usize, + parameter_set: &String, +) { + use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + #[inline(never)] + fn check( + keys: MLDSAKeyPair, + result: &KeyGenResult, + ) { + assert_eq!(result.pk, keys.verification_key.as_slice()); + assert_eq!(result.sk, keys.signing_key.as_slice()); + } + + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + match parameter_set.as_str() { + "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result), + + "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result), + + "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result), + _ => unimplemented!(), + } +} + fn read(variant: &str, file: &str) -> T { let katfile_path = Path::new("tests") .join("kats") @@ -128,8 +139,6 @@ fn read(variant: &str, file: &str) -> T { #[test] fn siggen() { - use libcrux_ml_dsa::*; - let prompts: Prompts = read("siggen", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -148,59 +157,69 @@ fn siggen() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32])); - - match parameter_set.as_str() { - "ML-DSA-44" => { - let signature = ml_dsa_44::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - - "ML-DSA-65" => { - let signature = ml_dsa_65::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - - "ML-DSA-87" => { - let signature = ml_dsa_87::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - _ => unimplemented!(), - } + siggen_inner(test, &results, kat.tgId, ¶meter_set); } } } -#[test] -fn sigver() { +#[inline(never)] +#[allow(non_snake_case)] +fn siggen_inner( + test: SigGenTest, + results: &Results, + tgId: usize, + parameter_set: &String, +) { use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32])); + + match parameter_set.as_str() { + "ML-DSA-44" => { + let signature = ml_dsa_44::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + "ML-DSA-65" => { + let signature = ml_dsa_65::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + + "ML-DSA-87" => { + let signature = ml_dsa_87::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + _ => unimplemented!(), + } +} + +#[test] +fn sigver() { let prompts: Prompts = read("sigver", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -219,47 +238,60 @@ fn sigver() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - match parameter_set.as_str() { - "ML-DSA-44" => { - let valid = ml_dsa_44::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - - "ML-DSA-65" => { - let valid = ml_dsa_65::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - - "ML-DSA-87" => { - let valid = ml_dsa_87::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - _ => unimplemented!(), - } + sigver_inner(test, &results, kat.tgId, &kat.pk, ¶meter_set); + } + } +} + +#[inline(never)] +#[allow(non_snake_case)] +fn sigver_inner( + test: SigVerTest, + results: &Results, + tgId: usize, + pk: &[u8], + parameter_set: &String, +) { + use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + match parameter_set.as_str() { + "ML-DSA-44" => { + let valid = ml_dsa_44::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); + } + + "ML-DSA-65" => { + let valid = ml_dsa_65::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); + } + + "ML-DSA-87" => { + let valid = ml_dsa_87::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); } + _ => unimplemented!(), } } diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml index 87e585f3c..08e922560 100644 --- a/libcrux-ml-kem/Cargo.toml +++ b/libcrux-ml-kem/Cargo.toml @@ -26,8 +26,7 @@ rand = { version = "0.8", optional = true } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } - -hax-lib.workspace = true +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] # By default all variants and std are enabled. @@ -44,9 +43,6 @@ mlkem512 = [] mlkem768 = [] mlkem1024 = [] -# Enable the unpacked API -unpacked = [] - # Enable Round 3 Kyber in addition to ML-KEM kyber = [] @@ -83,7 +79,7 @@ name = "keygen" required-features = ["mlkem768"] [package.metadata."docs.rs"] -features = ["pre-verification", "kyber", "unpacked"] +features = ["pre-verification", "kyber"] rustdoc-args = ["--cfg", "doc_cfg"] [lints.rust] diff --git a/libcrux-ml-kem/c/CMakeLists.txt b/libcrux-ml-kem/c/CMakeLists.txt index 121558310..7eb5cd5ca 100644 --- a/libcrux-ml-kem/c/CMakeLists.txt +++ b/libcrux-ml-kem/c/CMakeLists.txt @@ -17,6 +17,7 @@ if(NOT MSVC) # TODO: Clean up add_compile_options( -Wall + # -Wextra # -pedantic # -Wconversion @@ -29,6 +30,7 @@ if(NOT MSVC) endif(NOT MSVC) set(CMAKE_COLOR_DIAGNOSTICS "ON") + # For LSP-based editors set(CMAKE_EXPORT_COMPILE_COMMANDS 1) include_directories( @@ -101,12 +103,10 @@ if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8" AND DEFINED ENV{LIBCRU endif() # --- Tests - if(DEFINED ENV{LIBCRUX_UNPACKED}) add_compile_definitions(LIBCRUX_UNPACKED) endif(DEFINED ENV{LIBCRUX_UNPACKED}) - # Get gtests include(FetchContent) FetchContent_Declare(googletest @@ -144,52 +144,54 @@ target_link_libraries(sha3_test PRIVATE ) # --- Benchmarks -FetchContent_Declare(benchmark - GIT_REPOSITORY https://github.com/google/benchmark.git - GIT_TAG v1.8.4 -) -FetchContent_MakeAvailable(benchmark) +if(DEFINED ENV{LIBCRUX_BENCHMARKS}) + FetchContent_Declare(benchmark + GIT_REPOSITORY https://github.com/google/benchmark.git + GIT_TAG v1.8.4 + ) + FetchContent_MakeAvailable(benchmark) -add_executable(ml_kem_bench - ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc -) -target_link_libraries(ml_kem_bench PRIVATE - ml_kem_static - benchmark::benchmark -) + add_executable(ml_kem_bench + ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc + ) + target_link_libraries(ml_kem_bench PRIVATE + ml_kem_static + benchmark::benchmark + ) -if(DEFINED ENV{SYMCRYPT_PATH}) - message("Symcrypt path: $ENV{SYMCRYPT_PATH}") - add_compile_definitions(LIBCRUX_SYMCRYPT) - target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) - target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) - target_link_libraries(ml_kem_bench PRIVATE symcrypt) -endif(DEFINED ENV{SYMCRYPT_PATH}) + if(DEFINED ENV{SYMCRYPT_PATH}) + message("Symcrypt path: $ENV{SYMCRYPT_PATH}") + add_compile_definitions(LIBCRUX_SYMCRYPT) + target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) + target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) + target_link_libraries(ml_kem_bench PRIVATE symcrypt) + endif(DEFINED ENV{SYMCRYPT_PATH}) -add_executable(ml_kem_keygen - ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc -) -target_link_libraries(ml_kem_keygen PRIVATE - ml_kem_static - benchmark::benchmark -) - -add_executable(ml_kem_encaps - ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc -) -target_link_libraries(ml_kem_encaps PRIVATE - ml_kem_static - benchmark::benchmark -) + add_executable(ml_kem_keygen + ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc + ) + target_link_libraries(ml_kem_keygen PRIVATE + ml_kem_static + benchmark::benchmark + ) -if(NOT MSVC) - # We benchmark internal functions here that are inlined and thus not available - # in MSVC. - add_executable(sha3_bench - ${PROJECT_SOURCE_DIR}/benches/sha3.cc + add_executable(ml_kem_encaps + ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc ) - target_link_libraries(sha3_bench PRIVATE + target_link_libraries(ml_kem_encaps PRIVATE ml_kem_static benchmark::benchmark ) -endif(NOT MSVC) + + if(NOT MSVC) + # We benchmark internal functions here that are inlined and thus not available + # in MSVC. + add_executable(sha3_bench + ${PROJECT_SOURCE_DIR}/benches/sha3.cc + ) + target_link_libraries(sha3_bench PRIVATE + ml_kem_static + benchmark::benchmark + ) + endif(NOT MSVC) +endif(DEFINED ENV{LIBCRUX_BENCHMARKS}) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 69ab3fe65..a05d71620 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 +Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index bec9045cd..d22ca4534 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_core_H @@ -62,151 +62,163 @@ typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s { /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 1568 */ -libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_5a_af( +libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_40_af( uint8_t value[1568U]); +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 */ -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_3a_94( +libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_17_94( libcrux_ml_kem_types_MlKemPrivateKey_83 sk, libcrux_ml_kem_types_MlKemPublicKey_64 pk); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 3168 */ -libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_7f_39( +libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_88_39( uint8_t value[3168U]); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 1184 */ -libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_5a_d0( +libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_40_d0( uint8_t value[1184U]); +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ -libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_3a_74( +libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_17_74( libcrux_ml_kem_types_MlKemPrivateKey_d9 sk, libcrux_ml_kem_types_MlKemPublicKey_30 pk); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 2400 */ -libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_7f_28( +libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_88_28( uint8_t value[2400U]); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 800 */ -libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_5a_4d( +libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_40_4d( uint8_t value[800U]); +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 */ -libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_3a_fa( +libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_17_fa( libcrux_ml_kem_types_MlKemPrivateKey_fa sk, libcrux_ml_kem_types_MlKemPublicKey_52 pk); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 1632 */ -libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_7f_2a( +libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_88_2a( uint8_t value[1632U]); /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. +*/ +/** +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 1184 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_d0( +uint8_t *libcrux_ml_kem_types_as_slice_ba_d0( libcrux_ml_kem_types_MlKemPublicKey_30 *self); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 1088 */ -libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_01_80( +libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_fc_80( uint8_t value[1088U]); /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 1088 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_80( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self); /** @@ -221,38 +233,41 @@ void libcrux_ml_kem_utils_into_padded_array_15(Eurydice_slice slice, uint8_t ret[1120U]); /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. +*/ +/** +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 800 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_4d( +uint8_t *libcrux_ml_kem_types_as_slice_ba_4d( libcrux_ml_kem_types_MlKemPublicKey_52 *self); /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 768 */ -libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_01_d0( +libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_fc_d0( uint8_t value[768U]); /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 768 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_d0( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_d0( libcrux_ml_kem_types_MlKemCiphertext_1a *self); /** @@ -267,14 +282,17 @@ void libcrux_ml_kem_utils_into_padded_array_4d(Eurydice_slice slice, uint8_t ret[800U]); /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} +*/ +/** +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 1568 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_af( +uint8_t *libcrux_ml_kem_types_as_slice_ba_af( libcrux_ml_kem_types_MlKemPublicKey_64 *self); /** @@ -314,14 +332,14 @@ void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice, /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 1568 */ -libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_01_af( +libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_fc_af( uint8_t value[1568U]); /** @@ -337,14 +355,14 @@ void libcrux_ml_kem_utils_into_padded_array_c8(Eurydice_slice slice, /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 1568 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_af( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_af( libcrux_ml_kem_types_MlKemCiphertext_64 *self); /** diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 415e60735..c24314383 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_mlkem_avx2_H @@ -33,6 +33,13 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_f6_s { __m256i coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_f6; +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -43,6 +50,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_ed(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -120,6 +134,13 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -130,6 +151,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_1e(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -207,6 +235,13 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]); +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -217,6 +252,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_ba(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index e795935db..9fca2cfa0 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_mlkem_portable_H @@ -23,7 +23,7 @@ extern "C" { #include "internal/libcrux_core.h" #include "internal/libcrux_sha3_internal.h" -int16_t libcrux_ml_kem_polynomial_get_zeta(size_t i); +extern const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U]; #define LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT \ (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ @@ -38,6 +38,13 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_1d_s { libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_1d; +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -48,6 +55,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_00(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] @@ -125,6 +139,13 @@ void libcrux_ml_kem_ind_cca_decapsulate_621( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]); +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -135,6 +156,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_86(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$2size_t]] @@ -212,6 +240,13 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( libcrux_ml_kem_types_MlKemPrivateKey_fa *private_key, libcrux_ml_kem_types_MlKemCiphertext_1a *ciphertext, uint8_t ret[32U]); +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -222,6 +257,13 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_6c(uint8_t *public_key); +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 7f8fb03e9..4ece01c07 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index c21de7718..36114b5bd 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_sha3_internal_H @@ -42,6 +42,16 @@ libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_absorb_final_9e(s, buf); } +/** + Squeeze another block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { + Eurydice_slice buf[1U] = {out0}; + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf); +} + /** A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks with types uint64_t @@ -79,16 +89,6 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf); } -/** - Squeeze another block -*/ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { - Eurydice_slice buf[1U] = {out0}; - libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf); -} - #define libcrux_sha3_Sha224 0 #define libcrux_sha3_Sha256 1 #define libcrux_sha3_Sha384 2 diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 4b786c0db..44bb82cfb 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -8,28 +8,37 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_core.h" +/** + Return 1 if `value` is not zero and 0 otherwise. +*/ static uint8_t inz(uint8_t value) { uint16_t value0 = (uint16_t)value; - uint8_t result = - (uint8_t)((uint32_t)core_num__u16_7__wrapping_add(~value0, 1U) >> 8U); - return (uint32_t)result & 1U; + uint16_t result = (((uint32_t)value0 | + (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) & + 0xFFFFU) >> + 8U & + 1U; + return (uint8_t)result; } static KRML_NOINLINE uint8_t is_non_zero(uint8_t value) { return inz(value); } +/** + Return 1 if the bytes of `lhs` and `rhs` do not exactly + match and 0 otherwise. +*/ static uint8_t compare(Eurydice_slice lhs, Eurydice_slice rhs) { uint8_t r = 0U; for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; - uint8_t nr = (uint32_t)r | - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); - r = nr; + r = (uint32_t)r | + ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); } return is_non_zero(r); } @@ -39,6 +48,10 @@ compare_ciphertexts_in_constant_time(Eurydice_slice lhs, Eurydice_slice rhs) { return compare(lhs, rhs); } +/** + If `selector` is not zero, return the bytes in `rhs`; return the bytes in + `lhs` otherwise. +*/ static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, uint8_t ret[32U]) { uint8_t mask = core_num__u8_6__wrapping_sub(is_non_zero(selector), 1U); @@ -46,12 +59,10 @@ static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; i++) { size_t i0 = i; - uint8_t outi = - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & - (uint32_t)mask) | - ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & - (uint32_t)~mask); - out[i0] = outi; + out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & + (uint32_t)mask) | + ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & + (uint32_t)~mask); } memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } @@ -73,14 +84,14 @@ void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_i /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 1568 */ -libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_5a_af( +libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_40_af( uint8_t value[1568U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1568U]; @@ -90,17 +101,20 @@ libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_5a_af( return lit; } +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 */ -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_3a_94( +libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_17_94( libcrux_ml_kem_types_MlKemPrivateKey_83 sk, libcrux_ml_kem_types_MlKemPublicKey_64 pk) { return ( @@ -109,14 +123,14 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_3a_94( /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 3168 */ -libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_7f_39( +libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_88_39( uint8_t value[3168U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[3168U]; @@ -128,14 +142,14 @@ libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_7f_39( /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 1184 */ -libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_5a_d0( +libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_40_d0( uint8_t value[1184U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1184U]; @@ -145,17 +159,20 @@ libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_5a_d0( return lit; } +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ -libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_3a_74( +libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_17_74( libcrux_ml_kem_types_MlKemPrivateKey_d9 sk, libcrux_ml_kem_types_MlKemPublicKey_30 pk) { return ( @@ -164,14 +181,14 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_3a_74( /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 2400 */ -libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_7f_28( +libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_88_28( uint8_t value[2400U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[2400U]; @@ -183,14 +200,14 @@ libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_7f_28( /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 800 */ -libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_5a_4d( +libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_40_4d( uint8_t value[800U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[800U]; @@ -200,17 +217,20 @@ libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_5a_4d( return lit; } +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 */ -libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_3a_fa( +libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_17_fa( libcrux_ml_kem_types_MlKemPrivateKey_fa sk, libcrux_ml_kem_types_MlKemPublicKey_52 pk) { return (CLITERAL(libcrux_ml_kem_types_MlKemKeyPair_3e){.sk = sk, .pk = pk}); @@ -218,14 +238,14 @@ libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_3a_fa( /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 1632 */ -libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_7f_2a( +libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_88_2a( uint8_t value[1632U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1632U]; @@ -236,28 +256,31 @@ libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_7f_2a( } /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} +*/ +/** +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 1184 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_d0( +uint8_t *libcrux_ml_kem_types_as_slice_ba_d0( libcrux_ml_kem_types_MlKemPublicKey_30 *self) { return self->value; } /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 1088 */ -libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_01_80( +libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_fc_80( uint8_t value[1088U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1088U]; @@ -269,14 +292,14 @@ libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_01_80( /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 1088 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_80( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t); } @@ -301,28 +324,31 @@ void libcrux_ml_kem_utils_into_padded_array_15(Eurydice_slice slice, } /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. +*/ +/** +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 800 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_4d( +uint8_t *libcrux_ml_kem_types_as_slice_ba_4d( libcrux_ml_kem_types_MlKemPublicKey_52 *self) { return self->value; } /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 768 */ -libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_01_d0( +libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_fc_d0( uint8_t value[768U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[768U]; @@ -334,14 +360,14 @@ libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_01_d0( /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 768 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_d0( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_d0( libcrux_ml_kem_types_MlKemCiphertext_1a *self) { return Eurydice_array_to_slice((size_t)768U, self->value, uint8_t); } @@ -366,14 +392,17 @@ void libcrux_ml_kem_utils_into_padded_array_4d(Eurydice_slice slice, } /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. +*/ +/** +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 1568 */ -uint8_t *libcrux_ml_kem_types_as_slice_fd_af( +uint8_t *libcrux_ml_kem_types_as_slice_ba_af( libcrux_ml_kem_types_MlKemPublicKey_64 *self) { return self->value; } @@ -420,14 +449,14 @@ void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice, /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 1568 */ -libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_01_af( +libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_fc_af( uint8_t value[1568U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1568U]; @@ -458,14 +487,14 @@ void libcrux_ml_kem_utils_into_padded_array_c8(Eurydice_slice slice, /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 1568 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_00_af( +Eurydice_slice libcrux_ml_kem_types_as_ref_fd_af( libcrux_ml_kem_types_MlKemCiphertext_64 *self) { return Eurydice_array_to_slice((size_t)1568U, self->value, uint8_t); } diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index 003c85595..ad32ee35d 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 1119f346c..a0f95f0c5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index 1a54ebf6b..bb22e0ab3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index d5ff384b0..ea4a4d335 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 85d86f144..a9a24e5cd 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -8,13 +8,16 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem1024_portable.h" #include "internal/libcrux_mlkem_portable.h" +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics @@ -65,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- C1_BLOCK_SIZE= 352 +- VECTOR_U_BLOCK_LEN= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -98,6 +101,9 @@ tuple_fa libcrux_ml_kem_mlkem1024_portable_encapsulate( return encapsulate_8f(uu____0, copy_of_randomness); } +/** + Portable generate key pair. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const @@ -106,7 +112,7 @@ generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- RANKED_BYTES_PER_RING_ELEMENT= 1536 +- BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index dc3177ebd..26015c028 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index 86a9d0700..8a8d55669 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_H @@ -21,28 +21,52 @@ extern "C" { #include "eurydice_glue.h" #include "libcrux_core.h" -#define LIBCRUX_ML_KEM_MLKEM512_C1_BLOCK_SIZE_512 ((size_t)320U) +#define LIBCRUX_ML_KEM_MLKEM512_VECTOR_U_COMPRESSION_FACTOR_512 ((size_t)10U) + +#define LIBCRUX_ML_KEM_MLKEM512_C1_BLOCK_SIZE_512 \ + (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ + LIBCRUX_ML_KEM_MLKEM512_VECTOR_U_COMPRESSION_FACTOR_512 / (size_t)8U) + +#define LIBCRUX_ML_KEM_MLKEM512_RANK_512 ((size_t)2U) + +#define LIBCRUX_ML_KEM_MLKEM512_C1_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_C1_BLOCK_SIZE_512 * LIBCRUX_ML_KEM_MLKEM512_RANK_512) + +#define LIBCRUX_ML_KEM_MLKEM512_VECTOR_V_COMPRESSION_FACTOR_512 ((size_t)4U) -#define LIBCRUX_ML_KEM_MLKEM512_C1_SIZE_512 ((size_t)640U) +#define LIBCRUX_ML_KEM_MLKEM512_C2_SIZE_512 \ + (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ + LIBCRUX_ML_KEM_MLKEM512_VECTOR_V_COMPRESSION_FACTOR_512 / (size_t)8U) -#define LIBCRUX_ML_KEM_MLKEM512_C2_SIZE_512 ((size_t)128U) +#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_CIPHERTEXT_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_C1_SIZE_512 + LIBCRUX_ML_KEM_MLKEM512_C2_SIZE_512) -#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_CIPHERTEXT_SIZE_512 ((size_t)768U) +#define LIBCRUX_ML_KEM_MLKEM512_T_AS_NTT_ENCODED_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_RANK_512 * \ + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ + LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U) -#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_PUBLIC_KEY_SIZE_512 ((size_t)800U) +#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_PUBLIC_KEY_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_T_AS_NTT_ENCODED_SIZE_512 + (size_t)32U) -#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_SECRET_KEY_SIZE_512 ((size_t)768U) +#define LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_SECRET_KEY_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_RANK_512 * \ + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ + LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U) #define LIBCRUX_ML_KEM_MLKEM512_ETA1 ((size_t)3U) -#define LIBCRUX_ML_KEM_MLKEM512_ETA1_RANDOMNESS_SIZE ((size_t)192U) +#define LIBCRUX_ML_KEM_MLKEM512_ETA1_RANDOMNESS_SIZE \ + (LIBCRUX_ML_KEM_MLKEM512_ETA1 * (size_t)64U) #define LIBCRUX_ML_KEM_MLKEM512_ETA2 ((size_t)2U) -#define LIBCRUX_ML_KEM_MLKEM512_ETA2_RANDOMNESS_SIZE ((size_t)128U) +#define LIBCRUX_ML_KEM_MLKEM512_ETA2_RANDOMNESS_SIZE \ + (LIBCRUX_ML_KEM_MLKEM512_ETA2 * (size_t)64U) #define LIBCRUX_ML_KEM_MLKEM512_IMPLICIT_REJECTION_HASH_INPUT_SIZE \ - ((size_t)800U) + (LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE + \ + LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_CIPHERTEXT_SIZE_512) typedef libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_mlkem512_MlKem512Ciphertext; @@ -56,17 +80,15 @@ typedef libcrux_ml_kem_types_MlKemPrivateKey_fa typedef libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_mlkem512_MlKem512PublicKey; -#define LIBCRUX_ML_KEM_MLKEM512_RANKED_BYTES_PER_RING_ELEMENT_512 ((size_t)768U) +#define LIBCRUX_ML_KEM_MLKEM512_RANKED_BYTES_PER_RING_ELEMENT_512 \ + (LIBCRUX_ML_KEM_MLKEM512_RANK_512 * \ + LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U) -#define LIBCRUX_ML_KEM_MLKEM512_RANK_512 ((size_t)2U) - -#define LIBCRUX_ML_KEM_MLKEM512_SECRET_KEY_SIZE_512 ((size_t)1632U) - -#define LIBCRUX_ML_KEM_MLKEM512_T_AS_NTT_ENCODED_SIZE_512 ((size_t)768U) - -#define LIBCRUX_ML_KEM_MLKEM512_VECTOR_U_COMPRESSION_FACTOR_512 ((size_t)10U) - -#define LIBCRUX_ML_KEM_MLKEM512_VECTOR_V_COMPRESSION_FACTOR_512 ((size_t)4U) +#define LIBCRUX_ML_KEM_MLKEM512_SECRET_KEY_SIZE_512 \ + (LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_SECRET_KEY_SIZE_512 + \ + LIBCRUX_ML_KEM_MLKEM512_CPA_PKE_PUBLIC_KEY_SIZE_512 + \ + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE + \ + LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE) #if defined(__cplusplus) } diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index 781ff4da2..3e99b3ea9 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index bb8088679..e9a9e55e0 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index e1443ee16..00289e810 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -8,13 +8,16 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem512_portable.h" #include "internal/libcrux_mlkem_portable.h" +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics @@ -65,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- C1_BLOCK_SIZE= 320 +- VECTOR_U_BLOCK_LEN= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 @@ -98,6 +101,9 @@ tuple_41 libcrux_ml_kem_mlkem512_portable_encapsulate( return encapsulate_35(uu____0, copy_of_randomness); } +/** + Portable generate key pair. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const @@ -106,7 +112,7 @@ generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- RANKED_BYTES_PER_RING_ELEMENT= 768 +- BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 49e8b1dc2..0f19e1950 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index 64e186c43..0caa6791d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 6ab9ef817..bcf8914e3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index 0e0ae18d7..2b84eaa9a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index 424ec0f54..3b8ae8945 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -8,13 +8,16 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem768_portable.h" #include "internal/libcrux_mlkem_portable.h" +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics @@ -65,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- C1_BLOCK_SIZE= 320 +- VECTOR_U_BLOCK_LEN= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -98,6 +101,9 @@ tuple_c2 libcrux_ml_kem_mlkem768_portable_encapsulate( return encapsulate_cd(uu____0, copy_of_randomness); } +/** + Portable generate key pair. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const @@ -106,7 +112,7 @@ generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- RANKED_BYTES_PER_RING_ELEMENT= 1152 +- BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index c3eef51ed..913f5271d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index 50828fb37..f53d6f5c4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_mlkem_avx2.h" @@ -33,7 +33,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H(Eurydice_slice input, memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_vec_zero(void) { +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) { return mm256_setzero_si256(); } @@ -42,11 +42,11 @@ This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_09(void) { - return libcrux_ml_kem_vector_avx2_vec_zero(); + return libcrux_ml_kem_vector_avx2_zero(); } KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) { +libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) { return mm256_loadu_si256_i16(array); } @@ -56,17 +56,15 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array) { - return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array); + return libcrux_ml_kem_vector_avx2_from_i16_array(array); } -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_to_i16_array( - __m256i v, int16_t ret[16U]) { +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v, + int16_t ret[16U]) { int16_t output[16U] = {0U}; mm256_storeu_si256_i16(Eurydice_array_to_slice((size_t)16U, output, int16_t), v); - int16_t result[16U]; - memcpy(result, output, (size_t)16U * sizeof(int16_t)); - memcpy(ret, result, (size_t)16U * sizeof(int16_t)); + memcpy(ret, output, (size_t)16U * sizeof(int16_t)); } /** @@ -75,7 +73,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_09( __m256i x, int16_t ret[16U]) { - libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret); + libcrux_ml_kem_vector_avx2_to_i16_array(x, ret); } KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, @@ -109,8 +107,7 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_09(__m256i lhs, KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, int16_t constant) { - __m256i cv = mm256_set1_epi16(constant); - return mm256_mullo_epi16(vector, cv); + return mm256_mullo_epi16(vector, mm256_set1_epi16(constant)); } /** @@ -125,8 +122,7 @@ libcrux_ml_kem_vector_avx2_multiply_by_constant_09(__m256i vec, int16_t c) { KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( __m256i vector, int16_t constant) { - __m256i cv = mm256_set1_epi16(constant); - return mm256_and_si256(vector, cv); + return mm256_and_si256(vector, mm256_set1_epi16(constant)); } /** @@ -171,12 +167,11 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) { */ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { - __m256i t0 = mm256_mulhi_epi16( + __m256i t = mm256_mulhi_epi16( vector, mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); - __m256i t512 = mm256_set1_epi16((int16_t)512); - __m256i t1 = mm256_add_epi16(t0, t512); - __m256i quotient = mm256_srai_epi16((int32_t)10, t1, __m256i); + __m256i t0 = mm256_add_epi16(t, mm256_set1_epi16((int16_t)512)); + __m256i quotient = mm256_srai_epi16((int32_t)10, t0, __m256i); __m256i quotient_times_field_modulus = mm256_mullo_epi16( quotient, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); return mm256_sub_epi16(vector, quotient_times_field_modulus); @@ -194,17 +189,16 @@ libcrux_ml_kem_vector_avx2_barrett_reduce_09(__m256i vector) { KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( __m256i vector, int16_t constant) { - __m256i vec_constant = mm256_set1_epi16(constant); - __m256i value_low = mm256_mullo_epi16(vector, vec_constant); + __m256i constant0 = mm256_set1_epi16(constant); + __m256i value_low = mm256_mullo_epi16(vector, constant0); __m256i k = mm256_mullo_epi16( value_low, mm256_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m256i modulus = - mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m256i k_times_modulus = mm256_mulhi_epi16(k, modulus); - __m256i value_high = mm256_mulhi_epi16(vector, vec_constant); + __m256i k_times_modulus = mm256_mulhi_epi16( + k, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); + __m256i value_high = mm256_mulhi_epi16(vector, constant0); return mm256_sub_epi16(value_high, k_times_modulus); } @@ -256,17 +250,16 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32( KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( - __m256i vec, __m256i constants) { - __m256i value_low = mm256_mullo_epi16(vec, constants); + __m256i v, __m256i c) { + __m256i value_low = mm256_mullo_epi16(v, c); __m256i k = mm256_mullo_epi16( value_low, mm256_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m256i modulus = - mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m256i k_times_modulus = mm256_mulhi_epi16(k, modulus); - __m256i value_high = mm256_mulhi_epi16(vec, constants); + __m256i k_times_modulus = mm256_mulhi_epi16( + k, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); + __m256i value_high = mm256_mulhi_epi16(v, c); return mm256_sub_epi16(value_high, k_times_modulus); } @@ -319,16 +312,16 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( KRML_MUSTINLINE __m128i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( - __m128i vec, __m128i constants) { - __m128i value_low = mm_mullo_epi16(vec, constants); + __m128i v, __m128i c) { + __m128i value_low = mm_mullo_epi16(v, c); __m128i k = mm_mullo_epi16( value_low, mm_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m128i modulus = mm_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m128i k_times_modulus = mm_mulhi_epi16(k, modulus); - __m128i value_high = mm_mulhi_epi16(vec, constants); + __m128i k_times_modulus = mm_mulhi_epi16( + k, mm_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); + __m128i value_high = mm_mulhi_epi16(v, c); return mm_sub_epi16(value_high, k_times_modulus); } @@ -440,15 +433,15 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( } KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) { +libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v) { __m256i k = mm256_mullo_epi16( - vec, + v, mm256_set1_epi32( (int32_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); __m256i k_times_modulus = mm256_mulhi_epi16( k, mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); - __m256i value_high = mm256_srli_epi32((int32_t)16, vec, __m256i); + __m256i value_high = mm256_srli_epi32((int32_t)16, v, __m256i); __m256i result = mm256_sub_epi16(value_high, k_times_modulus); __m256i result0 = mm256_slli_epi32((int32_t)16, result, __m256i); return mm256_srai_epi32((int32_t)16, result0, __m256i); @@ -567,8 +560,10 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( extract the most significant bit from each element and collate them into two bytes. */ msbs); - uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; - memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); + uint8_t serialized[2U] = {0U}; + serialized[0U] = (uint8_t)bits_packed; + serialized[1U] = (uint8_t)(bits_packed >> 8U); + memcpy(ret, serialized, (size_t)2U * sizeof(uint8_t)); } /** @@ -580,56 +575,10 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09( libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); } -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( - int16_t a, int16_t b) { - __m256i coefficients = - mm256_set_epi16(/* We need to take each bit from the 2 bytes of input and - put them into their own 16-bit lane. Ideally, we'd load - the two bytes into the vector, duplicate them, and - right-shift the 0th element by 0 bits, the first - element by 1 bit, the second by 2 bits and so on before - AND-ing with 0x1 to leave only the least signifinicant - bit. But since |_mm256_srlv_epi16| does not exist, so - we have to resort to a workaround. Rather than shifting - each element by a different amount, we'll multiply each - element by a value such that the bit we're interested - in becomes the most significant bit. The coefficients - are loaded as follows: */ - b, - b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); - __m256i coefficients_in_msb = - mm256_mullo_epi16(/* And this vector, when multiplied with the previous - one, ensures that the bit we'd like to keep in each - lane becomes the most significant bit upon - multiplication. */ - coefficients, - mm256_set_epi16((int16_t)1 << 8U, (int16_t)1 << 9U, - (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, - (int16_t)1 << 14U, (int16_t)-32768, - (int16_t)1 << 8U, (int16_t)1 << 9U, - (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, - (int16_t)1 << 14U, (int16_t)-32768)); - return mm256_srli_epi16( - (int32_t)15, - /* Now that they're all in the most significant bit position, shift them - down to the least significant bit. */ - coefficients_in_msb, __m256i); -} - -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - uint8_t a, uint8_t b) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( - (int16_t)a, (int16_t)b); -} - KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - Eurydice_slice_index( + __m256i coefficients = mm256_set_epi16( + (int16_t)Eurydice_slice_index( bytes, /* We need to take each bit from the 2 bytes of input and put them into their own 16-bit lane. Ideally, we'd load the two bytes into @@ -640,13 +589,35 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { to a workaround. Rather than shifting each element by a different amount, we'll multiply each element by a value such that the bit we're interested in becomes the most significant bit. The - coefficients are loaded as follows: And this vector, when - multiplied with the previous one, ensures that the bit we'd like to - keep in each lane becomes the most significant bit upon - multiplication. Now that they're all in the most significant bit - position, shift them down to the least significant bit. */ - (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); + coefficients are loaded as follows: */ + (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i shift_lsb_to_msb = mm256_set_epi16( + (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768, + (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768); + __m256i coefficients_in_msb = + mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + return mm256_srli_epi16( + (int32_t)15, + /* Now that they're all in the most significant bit position, shift them + down to the least significant bit. */ + coefficients_in_msb, __m256i); } /** @@ -658,33 +629,23 @@ libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } -/** - `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets - of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of - 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last - `n` bits are non-zero). -*/ -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, - __m256i x) { - int16_t n0 = (int16_t)1 << (uint32_t)n; - return mm256_madd_epi16( - x, mm256_set_epi16(n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, - (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, - (int16_t)1, n0, (int16_t)1)); -} - KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m256i vector, uint8_t ret[8U]) { uint8_t serialized[16U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n( - 4U, - /* If |vector| is laid out as follows: 0x000A 0x000B 0x000C 0x000D | - 0x000E 0x000F 0x000G 0x000H | .... |adjacent_2_combined| will be - laid out as a series of 32-bit integeres, as follows: 0x00_00_00_BA - 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... */ - vector); + mm256_madd_epi16(/* If |vector| is laid out as follows: 0x000A 0x000B + 0x000C 0x000D | 0x000E 0x000F 0x000G 0x000H | .... + |adjacent_2_combined| will be laid out as a series of + 32-bit integeres, as follows: 0x00_00_00_BA + 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... */ + vector, + mm256_set_epi16( + (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, + (int16_t)1, (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, + (int16_t)1, (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, + (int16_t)1)); __m256i adjacent_8_combined = mm256_shuffle_epi8(/* Recall that |adjacent_2_combined| goes as follows: 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE @@ -738,57 +699,10 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09( libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret); } -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( - int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, - int16_t b6, int16_t b7) { - __m256i coefficients = - mm256_set_epi16(/* Every 4 bits from each byte of input should be put into - its own 16-bit lane. Since |_mm256_srlv_epi16| does not - exist, we have to resort to a workaround. Rather than - shifting each element by a different amount, we'll - multiply each element by a value such that the bits - we're interested in become the most significant bits - (of an 8-bit value). In this lane, the 4 bits we need - to put are already the most significant bits of - |bytes[7]| (that is, b7). */ - b7, - /* In this lane, the 4 bits we need to put are the least - significant bits, so we need to shift the 4 - least-significant bits of |b7| to the most significant - bits (of an 8-bit value). */ - b7, b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, - b0); - __m256i coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U)); - __m256i coefficients_in_lsb = mm256_srli_epi16( - (int32_t)4, - /* Once the 4-bit coefficients are in the most significant positions (of - an 8-bit value), shift them all down by 4. */ - coefficients_in_msb, __m256i); - return mm256_and_si256(/* Zero the remaining bits. */ coefficients_in_lsb, - mm256_set1_epi16(((int16_t)1 << 4U) - (int16_t)1)); -} - -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, - uint8_t b6, uint8_t b7) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( - (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4, - (int16_t)b5, (int16_t)b6, (int16_t)b7); -} - KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - Eurydice_slice_index( + __m256i coefficients = mm256_set_epi16( + (int16_t)Eurydice_slice_index( bytes, /* Every 4 bits from each byte of input should be put into its own 16-bit lane. Since |_mm256_srlv_epi16| does not exist, we have to @@ -796,22 +710,43 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { different amount, we'll multiply each element by a value such that the bits we're interested in become the most significant bits (of an 8-bit value). In this lane, the 4 bits we need to put are - already the most significant bits of |bytes[7]| (that is, b7). In - this lane, the 4 bits we need to put are the least significant - bits, so we need to shift the 4 least-significant bits of |b7| to - the most significant bits (of an 8-bit value). These constants are - chosen to shift the bits of the values that we loaded into - |coefficients|. Once the 4-bit coefficients are in the most - significant positions (of an 8-bit value), shift them all down - by 4. Zero the remaining bits. */ - (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); + already the most significant bits of |bytes[7]|. */ + (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index( + bytes, + /* In this lane, the 4 bits we need to put are the least significant + bits, so we need to shift the 4 least-significant bits of + |bytes[7]| to the most significant bits (of an 8-bit value). */ + (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, /* and so on ... */ (size_t)6U, + uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i shift_lsbs_to_msbs = mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); + __m256i coefficients_in_msb = + mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + __m256i coefficients_in_lsb = mm256_srli_epi16( + (int32_t)4, + /* Once the 4-bit coefficients are in the most significant positions (of + an 8-bit value), shift them all down by 4. */ + coefficients_in_msb, __m256i); + return mm256_and_si256(/* Zero the remaining bits. */ coefficients_in_lsb, + mm256_set1_epi16(((int16_t)1 << 4U) - (int16_t)1)); } /** @@ -920,22 +855,6 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_09( libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } -/** - We cannot model `mm256_inserti128_si256` on its own: it produces a - Vec256 where the upper 128 bits are undefined. Thus - `mm256_inserti128_si256` is not pure. - - Luckily, we always call `mm256_castsi128_si256` right after - `mm256_inserti128_si256`: this composition sets the upper bits, - making the whole computation pure again. -*/ -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower, - __m128i upper) { - return mm256_inserti128_si256((int32_t)1, mm256_castsi128_si256(lower), upper, - __m256i); -} - KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { __m128i coefficients = @@ -955,11 +874,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i coefficients_loaded = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - coefficients, coefficients); + __m256i coefficients_loaded = mm256_castsi128_si256(coefficients); + __m256i coefficients_loaded0 = mm256_inserti128_si256( + (int32_t)1, coefficients_loaded, coefficients, __m256i); __m256i coefficients0 = mm256_shuffle_epi8( - coefficients_loaded, + coefficients_loaded0, mm256_set_epi8((int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)9, @@ -987,24 +906,31 @@ libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } -core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( - __m256i vector) { +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( + __m256i vector, uint8_t ret[20U]) { + uint8_t serialized[32U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n( - 10U, - /* If |vector| is laid out as follows (superscript number indicates - the corresponding bit is duplicated that many times): - 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ - 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ - 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ ... - |adjacent_2_combined| will be laid out as a series of 32-bit - integers, as follows: 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ .... */ - vector); + mm256_madd_epi16(/* If |vector| is laid out as follows (superscript number + indicates the corresponding bit is duplicated that + many times): 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ + 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ + 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ + 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ + 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ ... |adjacent_2_combined| + will be laid out as a series of 32-bit integers, as + follows: 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ + 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ + 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ .... + */ + vector, + mm256_set_epi16( + (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, + (int16_t)1, (int16_t)1 << 10U, (int16_t)1, + (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, + (int16_t)1, (int16_t)1 << 10U, (int16_t)1, + (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, + (int16_t)1)); __m256i adjacent_4_combined = mm256_sllv_epi32(/* Shifting up the values at the even indices by 12, we get: b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² @@ -1048,184 +974,13 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( mm256_castsi256_si128(/* We now have 64 bits starting at position 0 in the lower 128-bit lane, ... */ adjacent_8_combined); + mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_8); __m128i upper_8 = mm256_extracti128_si256( (int32_t)1, /* and 64 bits starting at position 0 in the upper 128-bit lane. */ adjacent_8_combined, __m128i); - return ( - CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); -} - -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { - core_core_arch_x86___m128i_x2 uu____0 = - libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(/* If - |vector| - is - laid - out - as - follows - (superscript - number - indicates - the - corresponding - bit - is - duplicated - that - many - times): - 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ - 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ - | ↩ - 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ - 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ - | ↩ - ... - |adjacent_2_combined| - will - be - laid - out - as a - series - of - 32-bit - integers, - as - follows: - 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - | ↩ - 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - | ↩ - .... - Shifting - up - the - values - at - the - even - indices - by - 12, - we - get: - b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - | ↩ - f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - | ↩ - ... - Viewing - this - as a - set - of - 64-bit - integers - we - get: - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² - | ↩ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² - | ↩ - ... - Shifting - down - by - 12 - gives - us: - 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - | ↩ - 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - | ↩ - ... - |adjacent_4_combined|, - when - the - bottom - and - top - 128 - bit-lanes - are - grouped - into - bytes, - looks - like: - 0₇0₆0₅B₄B₃B₂B₁B₀ - | ↩ - 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ - | ↩ - In - each - 128-bit - lane, - we - want - to - put - bytes - 8, - 9, - 10, - 11, - 12 - after - bytes - 0, - 1, - 2, 3 - to - allow - for - sequential - reading. - We - now - have - 64 - bits - starting - at - position - 0 in - the - lower - 128-bit - lane, - ... - and - 64 - bits - starting - at - position - 0 in - the - upper - 128-bit - lane. - */ - vector); - __m128i lower_8 = uu____0.fst; - __m128i upper_8 = uu____0.snd; - uint8_t serialized[32U] = {0U}; - mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - lower_8); mm_storeu_bytes_si128(Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t), upper_8); @@ -1248,41 +1003,30 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09( libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret); } -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0) { - __m128i lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, - 3U, 2U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, - 10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U)); - __m256i coefficients = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - lower_coefficients, upper_coefficients); - __m256i coefficients0 = mm256_mullo_epi16( - coefficients, - mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, - (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U, - (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U, - (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, - (int16_t)1 << 6U)); - __m256i coefficients1 = mm256_srli_epi16((int32_t)6, coefficients0, __m256i); - return mm256_and_si256( - /* Here I can prove this `and` is not useful */ coefficients1, - mm256_set1_epi16(((int16_t)1 << 10U) - (int16_t)1)); -} - KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { - Eurydice_slice lower_coefficients = Eurydice_slice_subslice2( - /* Here I can prove this `and` is not useful */ bytes, (size_t)0U, - (size_t)16U, uint8_t); - Eurydice_slice upper_coefficients = - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - mm_loadu_si128(lower_coefficients), mm_loadu_si128(upper_coefficients)); + __m256i shift_lsbs_to_msbs = mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); + __m128i lower_coefficients = mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); + __m128i lower_coefficients0 = mm_shuffle_epi8( + lower_coefficients, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, + 3U, 2U, 2U, 1U, 1U, 0U)); + __m128i upper_coefficients = mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); + __m128i upper_coefficients0 = mm_shuffle_epi8( + upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, + 10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U)); + __m256i coefficients = mm256_castsi128_si256(lower_coefficients0); + __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients, + upper_coefficients0, __m256i); + __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs); + __m256i coefficients2 = mm256_srli_epi16((int32_t)6, coefficients1, __m256i); + return mm256_and_si256(coefficients2, + mm256_set1_epi16(((int16_t)1 << 10U) - (int16_t)1)); } /** @@ -1335,11 +1079,16 @@ libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes); } -KRML_MUSTINLINE core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - __m256i vector) { - __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector); +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( + __m256i vector, uint8_t ret[24U]) { + uint8_t serialized[32U] = {0U}; + __m256i adjacent_2_combined = mm256_madd_epi16( + vector, mm256_set_epi16((int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, + (int16_t)1, (int16_t)1 << 12U, (int16_t)1, + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, + (int16_t)1, (int16_t)1 << 12U, (int16_t)1, + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, + (int16_t)1)); __m256i adjacent_4_combined = mm256_sllv_epi32( adjacent_2_combined, mm256_set_epi32((int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8, @@ -1358,18 +1107,6 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( __m128i lower_8 = mm256_castsi256_si128(adjacent_8_combined); __m128i upper_8 = mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i); - return ( - CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); -} - -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { - uint8_t serialized[32U] = {0U}; - core_core_arch_x86___m128i_x2 uu____0 = - libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - vector); - __m128i lower_8 = uu____0.fst; - __m128i upper_8 = uu____0.snd; mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); @@ -1395,39 +1132,30 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09( libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); } -KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0) { - __m128i lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, - 4U, 4U, 3U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, - 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); - __m256i coefficients = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - lower_coefficients, upper_coefficients); - __m256i coefficients0 = mm256_mullo_epi16( - coefficients, - mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U)); - __m256i coefficients1 = mm256_srli_epi16((int32_t)4, coefficients0, __m256i); - return mm256_and_si256(coefficients1, - mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1)); -} - KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { + __m256i shift_lsbs_to_msbs = mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); __m128i lower_coefficients = mm_loadu_si128( Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); + __m128i lower_coefficients0 = mm_shuffle_epi8( + lower_coefficients, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, + 4U, 3U, 2U, 1U, 1U, 0U)); __m128i upper_coefficients = mm_loadu_si128( Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - lower_coefficients, upper_coefficients); + __m128i upper_coefficients0 = mm_shuffle_epi8( + upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, + 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); + __m256i coefficients = mm256_castsi128_si256(lower_coefficients0); + __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients, + upper_coefficients0, __m256i); + __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs); + __m256i coefficients2 = mm256_srli_epi16((int32_t)4, coefficients1, __m256i); + return mm256_and_si256(coefficients2, + mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1)); } /** @@ -1477,20 +1205,18 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( compare_with_field_modulus, good); uint8_t lower_shuffles[16U]; - memcpy( - lower_shuffles, - /* We need to provide a definition or post-condition for - Core.Num.impl__u8__count_ones Each bit (and its corresponding position) - represents an element we want to sample. We'd like all such elements to - be next to each other starting at index 0, so that they can be read - from the vector easily. |REJECTION_SAMPLE_SHUFFLE_TABLE| encodes the - byte-level shuffling indices needed to make this happen. For e.g. if - good[0] = 0b0_0_0_0_0_0_1_0, we need to move the element in the 2-nd - 16-bit lane to the first. To do this, we need the byte-level shuffle - indices to be 2 3 X X X X ... */ - libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( - size_t)good[0U]], - (size_t)16U * sizeof(uint8_t)); + memcpy(lower_shuffles, + /* Each bit (and its corresponding position) represents an element we + want to sample. We'd like all such elements to be next to each other + starting at index 0, so that they can be read from the vector + easily. |REJECTION_SAMPLE_SHUFFLE_TABLE| encodes the byte-level + shuffling indices needed to make this happen. For e.g. if good[0] = + 0b0_0_0_0_0_0_1_0, we need to move the element in the 2-nd 16-bit + lane to the first. To do this, we need the byte-level shuffle + indices to be 2 3 X X X X ... */ + libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( + size_t)good[0U]], + (size_t)16U * sizeof(uint8_t)); __m128i lower_shuffles0 = mm_loadu_si128(Eurydice_array_to_slice( (size_t)16U, /* Shuffle the lower 8 16-bits accordingly ... */ lower_shuffles, @@ -1540,15 +1266,15 @@ inline __m256i libcrux_ml_kem_vector_avx2_clone_78(__m256i *self) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_ef_61(void) { +static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_d6_61(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09(); lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09(); @@ -1569,6 +1295,12 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_ef_61(void) { return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -1577,7 +1309,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_to_reduced_ring_element_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -1594,9 +1326,10 @@ deserialize_to_reduced_ring_element_61(Eurydice_slice serialized) { A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_ab( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b1( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { for (size_t i = (size_t)0U; @@ -1615,25 +1348,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_ab( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_ab( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_b1( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_61();); - deserialize_ring_elements_reduced_ab(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; + deserialized_pk[i] = ZERO_d6_61();); + deserialize_ring_elements_reduced_b1(public_key, deserialized_pk); memcpy( - result, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - memcpy( - ret, result, + ret, deserialized_pk, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } @@ -1673,12 +1409,12 @@ static KRML_MUSTINLINE __m256i to_unsigned_representative_61(__m256i a) { } /** -A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE __m256i to_unsigned_field_modulus_61(__m256i a) { +static KRML_MUSTINLINE __m256i to_unsigned_field_element_61(__m256i a) { return to_unsigned_representative_61(a); } @@ -1694,7 +1430,7 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_61( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = to_unsigned_field_modulus_61(re->coefficients[i0]); + __m256i coefficient = to_unsigned_field_element_61(re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_avx2_serialize_12_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -1778,6 +1514,13 @@ static KRML_MUSTINLINE void serialize_public_key_ed( memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1788,7 +1531,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_ed(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - deserialize_ring_elements_reduced_out_ab( + deserialize_ring_elements_reduced_out_b1( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t), deserialized_pk); @@ -1816,6 +1559,13 @@ static KRML_MUSTINLINE void H_a9_e0(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_avx2_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -1866,9 +1616,9 @@ with const generics */ static IndCpaPrivateKeyUnpacked_63 default_1a_ab(void) { IndCpaPrivateKeyUnpacked_63 lit; - lit.secret_as_ntt[0U] = ZERO_ef_61(); - lit.secret_as_ntt[1U] = ZERO_ef_61(); - lit.secret_as_ntt[2U] = ZERO_ef_61(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); + lit.secret_as_ntt[2U] = ZERO_d6_61(); return lit; } @@ -1898,22 +1648,22 @@ with const generics static IndCpaPublicKeyUnpacked_63 default_8d_ab(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - uu____0[i] = ZERO_ef_61();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_63 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_61(); - lit.A[0U][1U] = ZERO_ef_61(); - lit.A[0U][2U] = ZERO_ef_61(); - lit.A[1U][0U] = ZERO_ef_61(); - lit.A[1U][1U] = ZERO_ef_61(); - lit.A[1U][2U] = ZERO_ef_61(); - lit.A[2U][0U] = ZERO_ef_61(); - lit.A[2U][1U] = ZERO_ef_61(); - lit.A[2U][2U] = ZERO_ef_61(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[0U][2U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); + lit.A[1U][2U] = ZERO_d6_61(); + lit.A[2U][0U] = ZERO_d6_61(); + lit.A[2U][1U] = ZERO_d6_61(); + lit.A[2U][2U] = ZERO_d6_61(); return lit; } @@ -1957,12 +1707,11 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_be( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_e0(uint8_t input[3U][34U]) { +shake128_init_absorb_e0(uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState_55 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( @@ -1979,25 +1728,24 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_a9_e0(uint8_t input[3U][34U]) { +shake128_init_absorb_a9_e0(uint8_t input[3U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[3U][34U]; memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_e0(copy_of_input); + return shake128_init_absorb_e0(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const +generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_e0( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; @@ -2027,13 +1775,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const +generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_e0( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) { - shake128_squeeze_first_three_blocks_e0(self, ret); + shake128_squeeze_three_blocks_e0(self, ret); } /** @@ -2118,11 +1866,10 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_e0( +static KRML_MUSTINLINE void shake128_squeeze_block_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; @@ -2152,13 +1899,12 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_e0( +static KRML_MUSTINLINE void shake128_squeeze_block_a9_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) { - shake128_squeeze_next_block_e0(self, ret); + shake128_squeeze_block_e0(self, ret); } /** @@ -2244,17 +1990,17 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed0( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef +A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -from_i16_array_ef_61(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); +from_i16_array_d6_61(Eurydice_slice a) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -2273,7 +2019,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c1( int16_t s[272U]) { - return from_i16_array_ef_61( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -2292,9 +2038,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c1( uint8_t copy_of_seeds[3U][34U]; memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_e0(copy_of_seeds); + shake128_init_absorb_a9_e0(copy_of_seeds); uint8_t randomness0[3U][504U]; - shake128_squeeze_first_three_blocks_a9_e0(&xof_state, randomness0); + shake128_squeeze_three_blocks_a9_e0(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[3U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); @@ -2309,7 +2055,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c1( break; } else { uint8_t randomness[3U][168U]; - shake128_squeeze_next_block_a9_e0(&xof_state, randomness); + shake128_squeeze_block_a9_e0(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[3U][168U]; memcpy(copy_of_randomness, randomness, @@ -2356,13 +2102,14 @@ static KRML_MUSTINLINE void sample_matrix_A_6c1( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)3U, sampled, + (size_t)3U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), libcrux_ml_kem_polynomial_PolynomialRingElement_f6); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -2419,6 +2166,55 @@ static KRML_MUSTINLINE void PRFxN_a9_41(uint8_t (*input)[33U], PRFxN_41(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -2460,7 +2256,7 @@ sample_from_binomial_distribution_2_61(Eurydice_slice randomness) { sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_ef_61( + return from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -2504,7 +2300,7 @@ sample_from_binomial_distribution_3_61(Eurydice_slice randomness) { sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_ef_61( + return from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -2585,13 +2381,7 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; - i0 < (size_t)128U >> - (uint32_t) /* The semicolon and parentheses at the end of loop are a - workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ - layer; - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; size_t offset = round * step * (size_t)2U; @@ -2602,7 +2392,7 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_61( libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = ntt_layer_int_vec_step_61( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; __m256i y = uu____0.snd; re->coefficients[j] = x; @@ -2624,7 +2414,7 @@ static KRML_MUSTINLINE void ntt_at_layer_3_61( zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]));); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);); } /** @@ -2640,8 +2430,9 @@ static KRML_MUSTINLINE void ntt_at_layer_2_61( zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); zeta_i[0U] = zeta_i[0U] + (size_t)1U;); } @@ -2658,32 +2449,33 @@ static KRML_MUSTINLINE void ntt_at_layer_1_61( zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); zeta_i[0U] = zeta_i[0U] + (size_t)3U;); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void poly_barrett_reduce_ef_61( +static KRML_MUSTINLINE void poly_barrett_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -2710,7 +2502,7 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_61( ntt_at_layer_3_61(&zeta_i, re); ntt_at_layer_2_61(&zeta_i, re); ntt_at_layer_1_61(&zeta_i, re); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } /** @@ -2769,7 +2561,7 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_61();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -2788,53 +2580,86 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41( return lit; } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -ntt_multiply_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, +ntt_multiply_d6_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - * error while extracting hax_debug_debug_assert!(lhs .coefficients - * .into_iter() .all(|coefficient| coefficient >= 0 && coefficient < 4096)); - */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_ef_61(); + /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| + * coefficient >= 0 && coefficient < 4096)); */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09( &self->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)3U]); } return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_ab( +static KRML_MUSTINLINE void add_to_ring_element_d6_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { for (size_t i = (size_t)0U; @@ -2867,23 +2692,21 @@ static KRML_MUSTINLINE __m256i to_standard_domain_61(__m256i v) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void add_standard_error_reduce_ef_61( +static KRML_MUSTINLINE void add_standard_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -2920,7 +2743,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -2933,10 +2756,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_ab(&t_as_ntt[i0], &product); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_ab(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_61(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -3038,6 +2861,9 @@ generate_keypair_bb1(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -3125,13 +2951,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d61(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } /** @@ -3152,6 +2978,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_be(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1152 +- K= 3 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_98( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = + deserialize_to_reduced_ring_element_61(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3164,7 +3016,7 @@ static KRML_MUSTINLINE tuple_23 sample_ring_element_cbd_b41(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = ZERO_ef_61();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -3239,10 +3091,13 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_1_61( re->coefficients[round] = libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); zeta_i[0U] = zeta_i[0U] - (size_t)3U;); } @@ -3260,8 +3115,9 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_2_61( re->coefficients[round] = libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); zeta_i[0U] = zeta_i[0U] - (size_t)1U;); } @@ -3273,12 +3129,13 @@ with const generics */ static KRML_MUSTINLINE void invert_ntt_at_layer_3_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { - KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( - re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]));); + KRML_MAYBE_FOR16( + i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + re->coefficients[round] = + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);); } /** @@ -3326,7 +3183,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_61( libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = inv_ntt_layer_int_vec_step_reduce_61( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; __m256i y = uu____0.snd; re->coefficients[j] = x; @@ -3355,29 +3212,27 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_ab( invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void add_error_reduce_ef_61( +static KRML_MUSTINLINE void add_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -3390,6 +3245,9 @@ static KRML_MUSTINLINE void add_error_reduce_ef_61( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3403,7 +3261,7 @@ static KRML_MUSTINLINE void compute_vector_u_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = ZERO_ef_61();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -3423,11 +3281,11 @@ static KRML_MUSTINLINE void compute_vector_u_ab( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_ab(&result[i1], &product); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_ab(&result[i1], &product); } invert_ntt_montgomery_ab(&result[i1]); - add_error_reduce_ef_61(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -3455,7 +3313,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_message_61(uint8_t serialized[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; __m256i coefficient_compressed = @@ -3470,25 +3328,21 @@ deserialize_then_decompress_message_61(uint8_t serialized[32U]) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -add_message_error_reduce_ef_61( +add_message_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( @@ -3521,6 +3375,9 @@ add_message_error_reduce_ef_61( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3533,13 +3390,13 @@ compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_ab(&result, &product);); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_ab(&result, &product);); invert_ntt_montgomery_ab(&result); - result = add_message_error_reduce_ef_61(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } @@ -3642,7 +3499,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_0e0( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_09_ef(to_unsigned_field_modulus_61(re->coefficients[i0])); + compress_09_ef(to_unsigned_field_element_61(re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_avx2_serialize_10_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -3650,9 +3507,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_0e0( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } - uint8_t result[320U]; - memcpy(result, serialized, (size_t)320U * sizeof(uint8_t)); - memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -3894,10 +3749,8 @@ static KRML_MUSTINLINE void compress_then_serialize_4_61( LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = compress_09_d1(to_unsigned_field_modulus_61( - re.coefficients[/* NOTE: Using `$serialized` in loop_invariant doesn't - work here */ - i0])); + __m256i coefficient = + compress_09_d1(to_unsigned_field_element_61(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_avx2_serialize_4_09(coefficient, bytes); Eurydice_slice_copy( @@ -4010,7 +3863,7 @@ static KRML_MUSTINLINE void compress_then_serialize_5_61( i++) { size_t i0 = i; __m256i coefficients = - compress_09_f4(to_unsigned_representative_61(re.coefficients[i0])); + compress_09_f4(to_unsigned_field_element_61(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_avx2_serialize_5_09(coefficients, bytes); Eurydice_slice_copy( @@ -4136,7 +3989,7 @@ static KRML_MUSTINLINE void encrypt_741(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[1088U]) { IndCpaPublicKeyUnpacked_63 unpacked_public_key = default_8d_ab(); - deserialize_ring_elements_reduced_ab( + deserialize_ring_elements_reduced_98( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1152U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -4212,7 +4065,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701( size_t); uint8_t ret[32U]; H_a9_e0(Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -4226,7 +4079,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -4236,7 +4089,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_ae(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; @@ -4258,7 +4111,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_to_uncompressed_ring_element_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -4280,7 +4133,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_61();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -4384,12 +4237,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_10_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); - LowStar_Ignore_ignore( - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)16U, re.coefficients, __m256i), - __m256i), - size_t, void *); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; @@ -4485,7 +4333,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_11_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; @@ -4524,7 +4372,7 @@ static KRML_MUSTINLINE void ntt_vector_u_ee( ntt_at_layer_3_61(&zeta_i, re); ntt_at_layer_2_61(&zeta_i, re); ntt_at_layer_1_61(&zeta_i, re); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } /** @@ -4540,7 +4388,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_61();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -4650,7 +4498,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_4_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; @@ -4746,7 +4594,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_5_61(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; @@ -4773,23 +4621,19 @@ deserialize_then_decompress_ring_element_v_42(Eurydice_slice serialized) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -subtract_reduce_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, +subtract_reduce_d6_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( @@ -4801,6 +4645,12 @@ subtract_reduce_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4812,13 +4662,13 @@ compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_ab(&result, &product);); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_ab(&result, &product);); invert_ntt_montgomery_ab(&result); - result = subtract_reduce_ef_61(v, result); + result = subtract_reduce_d6_61(v, result); return result; } @@ -4833,7 +4683,7 @@ static KRML_MUSTINLINE void compress_then_serialize_message_61( uint8_t serialized[32U] = {0U}; KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - __m256i coefficient = to_unsigned_field_modulus_61(re.coefficients[i0]); + __m256i coefficient = to_unsigned_field_element_61(re.coefficients[i0]); __m256i coefficient_compressed = libcrux_ml_kem_vector_avx2_compress_1_09(coefficient); uint8_t bytes[2U]; @@ -4994,7 +4844,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_a9_41(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), @@ -5010,26 +4860,27 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11( kdf_d8_ae(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_ae(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_ae(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1568 - K= 4 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_42( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_88( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { for (size_t i = (size_t)0U; @@ -5048,25 +4899,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_42( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1568 - K= 4 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_42( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_88( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_61();); - deserialize_ring_elements_reduced_42(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[4U]; + deserialized_pk[i] = ZERO_d6_61();); + deserialize_ring_elements_reduced_88(public_key, deserialized_pk); memcpy( - result, deserialized_pk, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - memcpy( - ret, result, + ret, deserialized_pk, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } @@ -5141,6 +4995,13 @@ static KRML_MUSTINLINE void serialize_public_key_1e( memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5151,7 +5012,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_1e(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[4U]; - deserialize_ring_elements_reduced_out_42( + deserialize_ring_elements_reduced_out_88( Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U, uint8_t, size_t), deserialized_pk); @@ -5179,6 +5040,13 @@ static KRML_MUSTINLINE void H_a9_ac(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_avx2_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -5229,10 +5097,10 @@ with const generics */ static IndCpaPrivateKeyUnpacked_39 default_1a_42(void) { IndCpaPrivateKeyUnpacked_39 lit; - lit.secret_as_ntt[0U] = ZERO_ef_61(); - lit.secret_as_ntt[1U] = ZERO_ef_61(); - lit.secret_as_ntt[2U] = ZERO_ef_61(); - lit.secret_as_ntt[3U] = ZERO_ef_61(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); + lit.secret_as_ntt[2U] = ZERO_d6_61(); + lit.secret_as_ntt[3U] = ZERO_d6_61(); return lit; } @@ -5262,29 +5130,29 @@ with const generics static IndCpaPublicKeyUnpacked_39 default_8d_42(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - uu____0[i] = ZERO_ef_61();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_39 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_61(); - lit.A[0U][1U] = ZERO_ef_61(); - lit.A[0U][2U] = ZERO_ef_61(); - lit.A[0U][3U] = ZERO_ef_61(); - lit.A[1U][0U] = ZERO_ef_61(); - lit.A[1U][1U] = ZERO_ef_61(); - lit.A[1U][2U] = ZERO_ef_61(); - lit.A[1U][3U] = ZERO_ef_61(); - lit.A[2U][0U] = ZERO_ef_61(); - lit.A[2U][1U] = ZERO_ef_61(); - lit.A[2U][2U] = ZERO_ef_61(); - lit.A[2U][3U] = ZERO_ef_61(); - lit.A[3U][0U] = ZERO_ef_61(); - lit.A[3U][1U] = ZERO_ef_61(); - lit.A[3U][2U] = ZERO_ef_61(); - lit.A[3U][3U] = ZERO_ef_61(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[0U][2U] = ZERO_d6_61(); + lit.A[0U][3U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); + lit.A[1U][2U] = ZERO_d6_61(); + lit.A[1U][3U] = ZERO_d6_61(); + lit.A[2U][0U] = ZERO_d6_61(); + lit.A[2U][1U] = ZERO_d6_61(); + lit.A[2U][2U] = ZERO_d6_61(); + lit.A[2U][3U] = ZERO_d6_61(); + lit.A[3U][0U] = ZERO_d6_61(); + lit.A[3U][1U] = ZERO_d6_61(); + lit.A[3U][2U] = ZERO_d6_61(); + lit.A[3U][3U] = ZERO_d6_61(); return lit; } @@ -5328,12 +5196,11 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_6a( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics - K= 4 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_ac(uint8_t input[4U][34U]) { +shake128_init_absorb_ac(uint8_t input[4U][34U]) { libcrux_sha3_generic_keccak_KeccakState_55 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( @@ -5350,25 +5217,24 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics - K= 4 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_a9_ac(uint8_t input[4U][34U]) { +shake128_init_absorb_a9_ac(uint8_t input[4U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[4U][34U]; memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_ac(copy_of_input); + return shake128_init_absorb_ac(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const +generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_ac( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_ac( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[4U][504U]) { uint8_t out[4U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; @@ -5401,13 +5267,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const +generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_ac( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_ac( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][504U]) { - shake128_squeeze_first_three_blocks_ac(self, ret); + shake128_squeeze_three_blocks_ac(self, ret); } /** @@ -5492,11 +5358,10 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_78( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_ac( +static KRML_MUSTINLINE void shake128_squeeze_block_ac( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[4U][168U]) { uint8_t out[4U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; @@ -5529,13 +5394,12 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_ac( +static KRML_MUSTINLINE void shake128_squeeze_block_a9_ac( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][168U]) { - shake128_squeeze_next_block_ac(self, ret); + shake128_squeeze_block_ac(self, ret); } /** @@ -5626,7 +5490,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c( int16_t s[272U]) { - return from_i16_array_ef_61( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -5645,9 +5509,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c( uint8_t copy_of_seeds[4U][34U]; memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_ac(copy_of_seeds); + shake128_init_absorb_a9_ac(copy_of_seeds); uint8_t randomness0[4U][504U]; - shake128_squeeze_first_three_blocks_a9_ac(&xof_state, randomness0); + shake128_squeeze_three_blocks_a9_ac(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[4U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U])); @@ -5662,7 +5526,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c( break; } else { uint8_t randomness[4U][168U]; - shake128_squeeze_next_block_a9_ac(&xof_state, randomness); + shake128_squeeze_block_a9_ac(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[4U][168U]; memcpy(copy_of_randomness, randomness, @@ -5709,13 +5573,14 @@ static KRML_MUSTINLINE void sample_matrix_A_6c( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)4U, sampled, + (size_t)4U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), libcrux_ml_kem_polynomial_PolynomialRingElement_f6); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -5831,7 +5696,7 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_61();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -5850,18 +5715,22 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4( return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 4 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_42( +static KRML_MUSTINLINE void add_to_ring_element_d6_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { for (size_t i = (size_t)0U; @@ -5902,7 +5771,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -5915,10 +5784,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_42(&t_as_ntt[i0], &product); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_42(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_61(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -6020,6 +5889,9 @@ generate_keypair_bb0(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -6107,13 +5979,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d60(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_83 private_key = - libcrux_ml_kem_types_from_7f_39(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_39(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_83 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1568U]; memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_94( - uu____2, libcrux_ml_kem_types_from_5a_af(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_94( + uu____2, libcrux_ml_kem_types_from_40_af(copy_of_public_key)); } /** @@ -6134,6 +6006,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_6a(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1536 +- K= 4 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_3c( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = + deserialize_to_reduced_ring_element_61(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6146,7 +6044,7 @@ static KRML_MUSTINLINE tuple_dd sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - error_1[i] = ZERO_ef_61();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -6215,9 +6113,12 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_42( invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6231,7 +6132,7 @@ static KRML_MUSTINLINE void compute_vector_u_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - result[i] = ZERO_ef_61();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -6251,17 +6152,20 @@ static KRML_MUSTINLINE void compute_vector_u_42( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_42(&result[i1], &product); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_42(&result[i1], &product); } invert_ntt_montgomery_42(&result[i1]); - add_error_reduce_ef_61(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6274,13 +6178,13 @@ compute_ring_element_v_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_42(&result, &product);); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_42(&result, &product);); invert_ntt_montgomery_42(&result); - result = add_message_error_reduce_ef_61(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } @@ -6297,7 +6201,7 @@ static KRML_MUSTINLINE void compress_then_serialize_11_0e( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_09_c4(to_unsigned_representative_61(re->coefficients[i0])); + compress_09_c4(to_unsigned_field_element_61(re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_avx2_serialize_11_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -6475,7 +6379,7 @@ static KRML_MUSTINLINE void encrypt_740(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[1568U]) { IndCpaPublicKeyUnpacked_39 unpacked_public_key = default_8d_42(); - deserialize_ring_elements_reduced_42( + deserialize_ring_elements_reduced_3c( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1536U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -6551,7 +6455,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700( size_t); uint8_t ret[32U]; H_a9_ac(Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), + (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -6565,7 +6469,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), uint8_t); + (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -6575,7 +6479,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700( uint8_t copy_of_ciphertext[1568U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_64 ciphertext0 = - libcrux_ml_kem_types_from_01_af(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_af(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_5e(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_64 uu____5 = ciphertext0; @@ -6600,7 +6504,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_61();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -6647,7 +6551,7 @@ static KRML_MUSTINLINE void ntt_vector_u_85( ntt_at_layer_3_61(&zeta_i, re); ntt_at_layer_2_61(&zeta_i, re); ntt_at_layer_1_61(&zeta_i, re); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } /** @@ -6663,7 +6567,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_1e( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_61();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), @@ -6700,6 +6604,12 @@ deserialize_then_decompress_ring_element_v_b4(Eurydice_slice serialized) { return deserialize_then_decompress_5_61(serialized); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6711,13 +6621,13 @@ compute_message_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_42(&result, &product);); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_42(&result, &product);); invert_ntt_montgomery_42(&result); - result = subtract_reduce_ef_61(v, result); + result = subtract_reduce_d6_61(v, result); return result; } @@ -6855,7 +6765,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_af(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_af(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_a9_44(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), @@ -6871,26 +6781,27 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10( kdf_d8_5e(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_5e(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_5e(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_af(ciphertext), + libcrux_ml_kem_types_as_ref_fd_af(ciphertext), Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 800 - K= 2 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_89( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_bc( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { for (size_t i = (size_t)0U; @@ -6909,25 +6820,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_89( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 800 - K= 2 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_89( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_bc( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_61();); - deserialize_ring_elements_reduced_89(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[2U]; + deserialized_pk[i] = ZERO_d6_61();); + deserialize_ring_elements_reduced_bc(public_key, deserialized_pk); memcpy( - result, deserialized_pk, - (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - memcpy( - ret, result, + ret, deserialized_pk, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } @@ -7002,6 +6916,13 @@ static KRML_MUSTINLINE void serialize_public_key_ba( memcpy(ret, public_key_serialized, (size_t)800U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7012,7 +6933,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_ba(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[2U]; - deserialize_ring_elements_reduced_out_89( + deserialize_ring_elements_reduced_out_bc( Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U, uint8_t, size_t), deserialized_pk); @@ -7040,6 +6961,13 @@ static KRML_MUSTINLINE void H_a9_fd(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_avx2_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -7090,8 +7018,8 @@ with const generics */ static IndCpaPrivateKeyUnpacked_94 default_1a_89(void) { IndCpaPrivateKeyUnpacked_94 lit; - lit.secret_as_ntt[0U] = ZERO_ef_61(); - lit.secret_as_ntt[1U] = ZERO_ef_61(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); return lit; } @@ -7121,17 +7049,17 @@ with const generics static IndCpaPublicKeyUnpacked_94 default_8d_89(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - uu____0[i] = ZERO_ef_61();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_94 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_61(); - lit.A[0U][1U] = ZERO_ef_61(); - lit.A[1U][0U] = ZERO_ef_61(); - lit.A[1U][1U] = ZERO_ef_61(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); return lit; } @@ -7175,12 +7103,11 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_f8( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics - K= 2 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_fd(uint8_t input[2U][34U]) { +shake128_init_absorb_fd(uint8_t input[2U][34U]) { libcrux_sha3_generic_keccak_KeccakState_55 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( @@ -7197,25 +7124,24 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics - K= 2 */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -shake128_init_absorb_final_a9_fd(uint8_t input[2U][34U]) { +shake128_init_absorb_a9_fd(uint8_t input[2U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[2U][34U]; memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_fd(copy_of_input); + return shake128_init_absorb_fd(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const +generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_fd( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_fd( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[2U][504U]) { uint8_t out[2U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; @@ -7242,13 +7168,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const +generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_fd( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_fd( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][504U]) { - shake128_squeeze_first_three_blocks_fd(self, ret); + shake128_squeeze_three_blocks_fd(self, ret); } /** @@ -7333,11 +7259,10 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_29( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_fd( +static KRML_MUSTINLINE void shake128_squeeze_block_fd( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[2U][168U]) { uint8_t out[2U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; @@ -7364,13 +7289,12 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_fd( +static KRML_MUSTINLINE void shake128_squeeze_block_a9_fd( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][168U]) { - shake128_squeeze_next_block_fd(self, ret); + shake128_squeeze_block_fd(self, ret); } /** @@ -7461,7 +7385,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c0( int16_t s[272U]) { - return from_i16_array_ef_61( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -7480,9 +7404,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c0( uint8_t copy_of_seeds[2U][34U]; memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_fd(copy_of_seeds); + shake128_init_absorb_a9_fd(copy_of_seeds); uint8_t randomness0[2U][504U]; - shake128_squeeze_first_three_blocks_a9_fd(&xof_state, randomness0); + shake128_squeeze_three_blocks_a9_fd(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[2U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U])); @@ -7497,7 +7421,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c0( break; } else { uint8_t randomness[2U][168U]; - shake128_squeeze_next_block_a9_fd(&xof_state, randomness); + shake128_squeeze_block_a9_fd(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[2U][168U]; memcpy(copy_of_randomness, randomness, @@ -7544,13 +7468,14 @@ static KRML_MUSTINLINE void sample_matrix_A_6c0( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)2U, sampled, + (size_t)2U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), libcrux_ml_kem_polynomial_PolynomialRingElement_f6); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -7671,7 +7596,7 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_61();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -7690,18 +7615,22 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40( return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 2 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_89( +static KRML_MUSTINLINE void add_to_ring_element_d6_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { for (size_t i = (size_t)0U; @@ -7742,7 +7671,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -7755,10 +7684,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_89(&t_as_ntt[i0], &product); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_89(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_61(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -7860,6 +7789,9 @@ generate_keypair_bb(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -7947,13 +7879,13 @@ libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_ind_cca_generate_keypair_d6( memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_fa private_key = - libcrux_ml_kem_types_from_7f_2a(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_2a(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_fa uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[800U]; memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_fa( - uu____2, libcrux_ml_kem_types_from_5a_4d(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_fa( + uu____2, libcrux_ml_kem_types_from_40_4d(copy_of_public_key)); } /** @@ -7974,6 +7906,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_f8(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 768 +- K= 2 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_09( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = + deserialize_to_reduced_ring_element_61(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRFxN with const generics @@ -8032,7 +7990,7 @@ static KRML_MUSTINLINE tuple_40 sample_ring_element_cbd_b40(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - error_1[i] = ZERO_ef_61();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -8101,9 +8059,12 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_89( invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_61(re); + poly_barrett_reduce_d6_61(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8117,7 +8078,7 @@ static KRML_MUSTINLINE void compute_vector_u_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - result[i] = ZERO_ef_61();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -8137,17 +8098,20 @@ static KRML_MUSTINLINE void compute_vector_u_89( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_89(&result[i1], &product); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_89(&result[i1], &product); } invert_ntt_montgomery_89(&result[i1]); - add_error_reduce_ef_61(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8160,13 +8124,13 @@ compute_ring_element_v_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_89(&result, &product);); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_89(&result, &product);); invert_ntt_montgomery_89(&result); - result = add_message_error_reduce_ef_61(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } @@ -8311,7 +8275,7 @@ static KRML_MUSTINLINE void encrypt_74(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[768U]) { IndCpaPublicKeyUnpacked_94 unpacked_public_key = default_8d_89(); - deserialize_ring_elements_reduced_89( + deserialize_ring_elements_reduced_09( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)768U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -8387,7 +8351,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70( size_t); uint8_t ret[32U]; H_a9_fd(Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), + (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -8401,7 +8365,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), uint8_t); + (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -8411,7 +8375,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70( uint8_t copy_of_ciphertext[768U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_1a ciphertext0 = - libcrux_ml_kem_types_from_01_d0(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_d0(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_4d(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_1a uu____5 = ciphertext0; @@ -8436,7 +8400,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_61();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -8469,7 +8433,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ba( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_61();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t), @@ -8495,6 +8459,12 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ba( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8506,13 +8476,13 @@ compute_message_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_ef_61(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_89(&result, &product);); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_89(&result, &product);); invert_ntt_montgomery_89(&result); - result = subtract_reduce_ef_61(v, result); + result = subtract_reduce_d6_61(v, result); return result; } @@ -8650,7 +8620,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a1( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_d0(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_d0(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_a9_49(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), @@ -8665,15 +8635,15 @@ void libcrux_ml_kem_ind_cca_decapsulate_a1( kdf_d8_4d(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_4d(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_4d(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_d0(ciphertext), + libcrux_ml_kem_types_as_ref_fd_d0(ciphertext), Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index 287b05703..6e8e447de 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem_avx2_H @@ -30,7 +30,7 @@ void libcrux_ml_kem_hash_functions_avx2_G(Eurydice_slice input, void libcrux_ml_kem_hash_functions_avx2_H(Eurydice_slice input, uint8_t ret[32U]); -__m256i libcrux_ml_kem_vector_avx2_vec_zero(void); +__m256i libcrux_ml_kem_vector_avx2_zero(void); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -38,7 +38,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_ZERO_09(void); -__m256i libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array); +__m256i libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -46,7 +46,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array); -void libcrux_ml_kem_vector_avx2_vec_to_i16_array(__m256i v, int16_t ret[16U]); +void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v, int16_t ret[16U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -137,7 +137,7 @@ __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs, __m256i rhs); __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( - __m256i vec, __m256i constants); + __m256i v, __m256i c); __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); @@ -163,7 +163,7 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09(__m256i vector, __m128i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( - __m128i vec, __m128i constants); + __m128i v, __m128i c); __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta); @@ -207,8 +207,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(__m256i vector, int16_t zeta); -__m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s( - __m256i vec); +__m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v); __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(__m256i lhs, __m256i rhs, int16_t zeta0, @@ -234,12 +233,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ void libcrux_ml_kem_vector_avx2_serialize_1_09(__m256i vector, uint8_t ret[2U]); -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( - int16_t a, int16_t b); - -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - uint8_t a, uint8_t b); - __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1( Eurydice_slice bytes); @@ -249,15 +242,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes); -/** - `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets - of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of - 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last - `n` bits are non-zero). -*/ -__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, - __m256i x); - void libcrux_ml_kem_vector_avx2_serialize_serialize_4(__m256i vector, uint8_t ret[8U]); @@ -267,14 +251,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ void libcrux_ml_kem_vector_avx2_serialize_4_09(__m256i vector, uint8_t ret[8U]); -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( - int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, - int16_t b6, int16_t b7); - -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, - uint8_t b6, uint8_t b7); - __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4( Eurydice_slice bytes); @@ -294,18 +270,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_5_09(__m256i vector, uint8_t ret[10U]); -/** - We cannot model `mm256_inserti128_si256` on its own: it produces a - Vec256 where the upper 128 bits are undefined. Thus - `mm256_inserti128_si256` is not pure. - - Luckily, we always call `mm256_castsi128_si256` right after - `mm256_inserti128_si256`: this composition sets the upper bits, - making the whole computation pure again. -*/ -__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - __m128i lower, __m128i upper); - __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5( Eurydice_slice bytes); @@ -315,15 +279,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes); -typedef struct core_core_arch_x86___m128i_x2_s { - __m128i fst; - __m128i snd; -} core_core_arch_x86___m128i_x2; - -core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( - __m256i vector); - void libcrux_ml_kem_vector_avx2_serialize_serialize_10(__m256i vector, uint8_t ret[20U]); @@ -334,9 +289,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_10_09(__m256i vector, uint8_t ret[20U]); -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0); - __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10( Eurydice_slice bytes); @@ -365,10 +317,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes); -core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - __m256i vector); - void libcrux_ml_kem_vector_avx2_serialize_serialize_12(__m256i vector, uint8_t ret[24U]); @@ -379,9 +327,6 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_12_09(__m256i vector, uint8_t ret[24U]); -__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0); - __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12( Eurydice_slice bytes); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 0a607c53e..8016d2805 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_mlkem_portable.h" @@ -32,7 +32,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H( memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } -static const int16_t ZETAS_TIMES_MONTGOMERY_R[128U] = { +const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = { (int16_t)-1044, (int16_t)-758, (int16_t)-359, (int16_t)-1517, (int16_t)1493, (int16_t)1422, (int16_t)287, (int16_t)202, (int16_t)-171, (int16_t)622, (int16_t)1577, (int16_t)182, @@ -66,10 +66,6 @@ static const int16_t ZETAS_TIMES_MONTGOMERY_R[128U] = { (int16_t)-108, (int16_t)-308, (int16_t)996, (int16_t)991, (int16_t)958, (int16_t)-1460, (int16_t)1522, (int16_t)1628}; -int16_t libcrux_ml_kem_polynomial_get_zeta(size_t i) { - return ZETAS_TIMES_MONTGOMERY_R[i]; -} - KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_vector_type_from_i16_array( Eurydice_slice array) { @@ -175,34 +171,30 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_11( libcrux_ml_kem_vector_portable_serialize_serialize_11_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = r0_10.fst; - ret[1U] = r0_10.snd; - ret[2U] = r0_10.thd; - ret[3U] = r0_10.f3; - ret[4U] = r0_10.f4; - ret[5U] = r0_10.f5; - ret[6U] = r0_10.f6; - ret[7U] = r0_10.f7; - ret[8U] = r0_10.f8; - ret[9U] = r0_10.f9; - ret[10U] = r0_10.f10; - ret[11U] = r11_21.fst; - ret[12U] = r11_21.snd; - ret[13U] = r11_21.thd; - ret[14U] = r11_21.f3; - ret[15U] = r11_21.f4; - ret[16U] = r11_21.f5; - ret[17U] = r11_21.f6; - ret[18U] = r11_21.f7; - ret[19U] = r11_21.f8; - ret[20U] = r11_21.f9; - ret[21U] = r11_21.f10; -} - -void libcrux_ml_kem_vector_portable_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret); + uint8_t result[22U] = {0U}; + result[0U] = r0_10.fst; + result[1U] = r0_10.snd; + result[2U] = r0_10.thd; + result[3U] = r0_10.f3; + result[4U] = r0_10.f4; + result[5U] = r0_10.f5; + result[6U] = r0_10.f6; + result[7U] = r0_10.f7; + result[8U] = r0_10.f8; + result[9U] = r0_10.f9; + result[10U] = r0_10.f10; + result[11U] = r11_21.fst; + result[12U] = r11_21.snd; + result[13U] = r11_21.thd; + result[14U] = r11_21.f3; + result[15U] = r11_21.f4; + result[16U] = r11_21.f5; + result[17U] = r11_21.f6; + result[18U] = r11_21.f7; + result[19U] = r11_21.f8; + result[20U] = r11_21.f9; + result[21U] = r11_21.f10; + memcpy(ret, result, (size_t)22U * sizeof(uint8_t)); } /** @@ -212,7 +204,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_11_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[22U]) { - libcrux_ml_kem_vector_portable_serialize_11(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret); } KRML_MUSTINLINE int16_t_x8 @@ -278,6 +270,28 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( .f7 = r7}); } +KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_zero(void) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; + lit.elements[0U] = (int16_t)0; + lit.elements[1U] = (int16_t)0; + lit.elements[2U] = (int16_t)0; + lit.elements[3U] = (int16_t)0; + lit.elements[4U] = (int16_t)0; + lit.elements[5U] = (int16_t)0; + lit.elements[6U] = (int16_t)0; + lit.elements[7U] = (int16_t)0; + lit.elements[8U] = (int16_t)0; + lit.elements[9U] = (int16_t)0; + lit.elements[10U] = (int16_t)0; + lit.elements[11U] = (int16_t)0; + lit.elements[12U] = (int16_t)0; + lit.elements[13U] = (int16_t)0; + lit.elements[14U] = (int16_t)0; + lit.elements[15U] = (int16_t)0; + return lit; +} + KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( @@ -285,29 +299,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -316,7 +326,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_11(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_to_i16_array( @@ -850,28 +860,6 @@ const uint8_t {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U}}; -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_zero(void) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = (int16_t)0; - lit.elements[1U] = (int16_t)0; - lit.elements[2U] = (int16_t)0; - lit.elements[3U] = (int16_t)0; - lit.elements[4U] = (int16_t)0; - lit.elements[5U] = (int16_t)0; - lit.elements[6U] = (int16_t)0; - lit.elements[7U] = (int16_t)0; - lit.elements[8U] = (int16_t)0; - lit.elements[9U] = (int16_t)0; - lit.elements[10U] = (int16_t)0; - lit.elements[11U] = (int16_t)0; - lit.elements[12U] = (int16_t)0; - lit.elements[13U] = (int16_t)0; - lit.elements[14U] = (int16_t)0; - lit.elements[15U] = (int16_t)0; - return lit; -} - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -931,14 +919,14 @@ libcrux_ml_kem_vector_portable_sub_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] * c; + v.elements[uu____0] = v.elements[uu____0] * c; } - return vec; + return v; } /** @@ -947,20 +935,20 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_multiply_by_constant_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { + return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c); } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] & c; + v.elements[uu____0] = v.elements[uu____0] & c; } - return vec; + return v; } /** @@ -976,16 +964,27 @@ libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { - size_t i0 = i; - if (vec.elements[i0] >= (int16_t)3329) { - size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329; + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){ + .start = (size_t)0U, + .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + core_option_Option_08 uu____0 = + core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, core_option_Option_08); + if (uu____0.tag == core_option_None) { + return v; + } else { + size_t i = uu____0.f0; + if (v.elements[i] >= (int16_t)3329) { + size_t uu____1 = i; + v.elements[uu____1] = v.elements[uu____1] - (int16_t)3329; + } } } - return vec; } /** @@ -1009,32 +1008,35 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) - Note: The input bound is 28296 to prevent overflow in the multiplication of - quotient by FIELD_MODULUS - + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. */ int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value) { - int32_t t = (int32_t)value * - LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + - (LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R >> 1U); + int32_t t = + (int32_t) /* hax_debug_assert!( i32::from(value) > -BARRETT_R && + i32::from(value) < BARRETT_R, "value is {value}" ); */ + value + + * LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + + (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U); int16_t quotient = - (int16_t)(t >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT); + (int16_t)(t >> + (uint32_t) + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT); return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t vi = + v.elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - vec.elements[i0]); - vec.elements[i0] = vi; + v.elements[i0]); } - return vec; + return v; } /** @@ -1056,17 +1058,20 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) - the absolute value of `o` is bound as follows: - `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 - - In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS + 1664 + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. */ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value) { int32_t k = - (int32_t)(int16_t)value * + (int32_t)(int16_t) /* hax_debug_assert!( value >= -FIELD_MODULUS * + MONTGOMERY_R && value <= FIELD_MODULUS * + MONTGOMERY_R, "value is {value}" ); */ + value + + * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; int32_t k_times_modulus = (int32_t)(int16_t)k * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; @@ -1095,22 +1100,21 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( KRML_MUSTINLINE int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer) { - int32_t product = (int32_t)fe * (int32_t)fer; return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - product); + (int32_t)fe * (int32_t)fer); } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = + v.elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec.elements[i0], c); + v.elements[i0], c); } - return vec; + return v; } /** @@ -1176,15 +1180,15 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - a.elements[i0] = (int16_t) + v.elements[i0] = (int16_t) libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( - (uint16_t)a.elements[i0]); + (uint16_t)v.elements[i0]); } - return a; + return v; } /** @@ -1193,14 +1197,19 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_1_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_1(v); } KRML_MUSTINLINE uint32_t libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( uint8_t n, uint32_t value) { - return value & ((1U << (uint32_t)n) - 1U); + return + /* hax_debug_assert!(n == 4 || n == 5 || n == 10 || n == 11 || n == + MONTGOMERY_SHIFT); */ + value + + & ((1U << (uint32_t)n) - 1U); } int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( @@ -1224,38 +1233,36 @@ int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j) { int16_t t = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec->elements[j], zeta); - int16_t a_minus_t = vec->elements[i] - t; - int16_t a_plus_t = vec->elements[i] + t; - vec->elements[j] = a_minus_t; - vec->elements[i] = a_plus_t; + v->elements[j], zeta); + v->elements[j] = v->elements[i] - t; + v->elements[i] = v->elements[i] + t; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U, (size_t)15U); - return vec; + return v; } /** @@ -1272,25 +1279,25 @@ libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U, (size_t)15U); - return vec; + return v; } /** @@ -1306,25 +1313,22 @@ libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U, - (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U, - (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U); + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U); + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U, (size_t)15U); - return vec; + return v; } /** @@ -1338,40 +1342,38 @@ libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j) { - int16_t a_minus_b = vec->elements[j] - vec->elements[i]; - int16_t a_plus_b = vec->elements[j] + vec->elements[i]; - int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - a_plus_b); - int16_t o1 = + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j) { + int16_t a_minus_b = v->elements[j] - v->elements[i]; + v->elements[i] = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v->elements[i] + v->elements[j]); + v->elements[j] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b, zeta); - vec->elements[i] = o0; - vec->elements[j] = o1; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)13U, (size_t)15U); - return vec; + return v; } /** @@ -1388,25 +1390,25 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)11U, (size_t)15U); - return vec; + return v; } /** @@ -1423,25 +1425,24 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)7U, (size_t)15U); - return vec; + return v; } /** @@ -1454,34 +1455,45 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, - size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { - int16_t ai = a->elements[(size_t)2U * i]; - int16_t bi = b->elements[(size_t)2U * i]; - int16_t aj = a->elements[(size_t)2U * i + (size_t)1U]; - int16_t bj = b->elements[(size_t)2U * i + (size_t)1U]; - int32_t ai_bi = (int32_t)ai * (int32_t)bi; - int32_t aj_bj_ = (int32_t)aj * (int32_t)bj; - int16_t aj_bj = - libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - aj_bj_); - int32_t aj_bj_zeta = (int32_t)aj_bj * (int32_t)zeta; - int32_t ai_bi_aj_bj = ai_bi + aj_bj_zeta; - int16_t o0 = - libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - ai_bi_aj_bj); - int32_t ai_bj = (int32_t)ai * (int32_t)bj; - int32_t aj_bi = (int32_t)aj * (int32_t)bi; - int32_t ai_bj_aj_bi = ai_bj + aj_bi; + size_t i, size_t j, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a->elements[i] * (int32_t)b->elements[i] + + (int32_t) + libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a->elements[j] * (int32_t)b->elements[j]) * + (int32_t)zeta); int16_t o1 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - ai_bj_aj_bi); - int16_t _out0[16U]; - memcpy(_out0, out->elements, (size_t)16U * sizeof(int16_t)); - out->elements[(size_t)2U * i] = o0; - out->elements[(size_t)2U * i + (size_t)1U] = o1; + (int32_t)a->elements[i] * (int32_t)b->elements[j] + + (int32_t)a->elements[j] * (int32_t)b->elements[i]); + out->elements[i] = o0; + out->elements[j] = o1; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -1489,28 +1501,24 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - int16_t nzeta0 = -zeta0; - int16_t nzeta1 = -zeta1; - int16_t nzeta2 = -zeta2; - int16_t nzeta3 = -zeta3; libcrux_ml_kem_vector_portable_vector_type_PortableVector out = libcrux_ml_kem_vector_portable_vector_type_zero(); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta0, - (size_t)0U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta0, - (size_t)1U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta1, - (size_t)2U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta1, - (size_t)3U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta2, - (size_t)4U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta2, - (size_t)5U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta3, - (size_t)6U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta3, - (size_t)7U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out); return out; } @@ -1530,30 +1538,18 @@ libcrux_ml_kem_vector_portable_ntt_multiply_0d( KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[2U]) { - uint8_t result0 = (((((((uint32_t)(uint8_t)v.elements[0U] | - (uint32_t)(uint8_t)v.elements[1U] << 1U) | - (uint32_t)(uint8_t)v.elements[2U] << 2U) | - (uint32_t)(uint8_t)v.elements[3U] << 3U) | - (uint32_t)(uint8_t)v.elements[4U] << 4U) | - (uint32_t)(uint8_t)v.elements[5U] << 5U) | - (uint32_t)(uint8_t)v.elements[6U] << 6U) | - (uint32_t)(uint8_t)v.elements[7U] << 7U; - uint8_t result1 = (((((((uint32_t)(uint8_t)v.elements[8U] | - (uint32_t)(uint8_t)v.elements[9U] << 1U) | - (uint32_t)(uint8_t)v.elements[10U] << 2U) | - (uint32_t)(uint8_t)v.elements[11U] << 3U) | - (uint32_t)(uint8_t)v.elements[12U] << 4U) | - (uint32_t)(uint8_t)v.elements[13U] << 5U) | - (uint32_t)(uint8_t)v.elements[14U] << 6U) | - (uint32_t)(uint8_t)v.elements[15U] << 7U; - ret[0U] = result0; - ret[1U] = result1; -} - -void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret); + uint8_t result[2U] = {0U}; + KRML_MAYBE_FOR8( + i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i; + size_t uu____0 = (size_t)0U; + result[uu____0] = (uint32_t)result[uu____0] | + (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0;); + KRML_MAYBE_FOR8(i, (size_t)8U, (size_t)16U, (size_t)1U, size_t i0 = i; + size_t uu____1 = (size_t)1U; + result[uu____1] = (uint32_t)result[uu____1] | + (uint32_t)(uint8_t)v.elements[i0] + << (uint32_t)(i0 - (size_t)8U);); + memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); } /** @@ -1563,96 +1559,28 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_1_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_1(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret); } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { - int16_t result0 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) & - 1U); - int16_t result1 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 1U & - 1U); - int16_t result2 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 2U & - 1U); - int16_t result3 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 3U & - 1U); - int16_t result4 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 4U & - 1U); - int16_t result5 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 5U & - 1U); - int16_t result6 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 6U & - 1U); - int16_t result7 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 7U & - 1U); - int16_t result8 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) & - 1U); - int16_t result9 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 1U & - 1U); - int16_t result10 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 2U & - 1U); - int16_t result11 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 3U & - 1U); - int16_t result12 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 4U & - 1U); - int16_t result13 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 5U & - 1U); - int16_t result14 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 6U & - 1U); - int16_t result15 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 7U & - 1U); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = result0; - lit.elements[1U] = result1; - lit.elements[2U] = result2; - lit.elements[3U] = result3; - lit.elements[4U] = result4; - lit.elements[5U] = result5; - lit.elements[6U] = result6; - lit.elements[7U] = result7; - lit.elements[8U] = result8; - lit.elements[9U] = result9; - lit.elements[10U] = result10; - lit.elements[11U] = result11; - lit.elements[12U] = result12; - lit.elements[13U] = result13; - lit.elements[14U] = result14; - lit.elements[15U] = result15; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_portable_vector_type_zero(); + KRML_MAYBE_FOR8( + i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i; + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)0U, uint8_t, uint8_t *) >> + (uint32_t)i0 & + 1U);); + for (size_t i = (size_t)8U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)1U, uint8_t, uint8_t *) >> + (uint32_t)(i0 - (size_t)8U) & + 1U); + } + return result; } /** @@ -1661,7 +1589,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_1(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a); } KRML_MUSTINLINE uint8_t_x4 @@ -1701,20 +1629,16 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4( libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = result0_3.fst; - ret[1U] = result0_3.snd; - ret[2U] = result0_3.thd; - ret[3U] = result0_3.f3; - ret[4U] = result4_7.fst; - ret[5U] = result4_7.snd; - ret[6U] = result4_7.thd; - ret[7U] = result4_7.f3; -} - -void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret); + uint8_t result[8U] = {0U}; + result[0U] = result0_3.fst; + result[1U] = result0_3.snd; + result[2U] = result0_3.thd; + result[3U] = result0_3.f3; + result[4U] = result4_7.fst; + result[5U] = result4_7.snd; + result[6U] = result4_7.thd; + result[7U] = result4_7.f3; + memcpy(ret, result, (size_t)8U * sizeof(uint8_t)); } /** @@ -1724,7 +1648,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_4_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_4(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret); } KRML_MUSTINLINE int16_t_x8 @@ -1774,29 +1698,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -1805,7 +1725,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_4(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a); } KRML_MUSTINLINE uint8_t_x5 @@ -1841,22 +1761,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_5( uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; -} - -void libcrux_ml_kem_vector_portable_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret); + uint8_t result[10U] = {0U}; + result[0U] = r0_4.fst; + result[1U] = r0_4.snd; + result[2U] = r0_4.thd; + result[3U] = r0_4.f3; + result[4U] = r0_4.f4; + result[5U] = r5_9.fst; + result[6U] = r5_9.snd; + result[7U] = r5_9.thd; + result[8U] = r5_9.f3; + result[9U] = r5_9.f4; + memcpy(ret, result, (size_t)10U * sizeof(uint8_t)); } /** @@ -1866,7 +1782,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_5_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[10U]) { - libcrux_ml_kem_vector_portable_serialize_5(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret); } KRML_MUSTINLINE int16_t_x8 @@ -1927,29 +1843,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -1958,7 +1870,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_5(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a); } KRML_MUSTINLINE uint8_t_x5 @@ -2010,32 +1922,33 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10( uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, int16_t)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; - ret[10U] = r10_14.fst; - ret[11U] = r10_14.snd; - ret[12U] = r10_14.thd; - ret[13U] = r10_14.f3; - ret[14U] = r10_14.f4; - ret[15U] = r15_19.fst; - ret[16U] = r15_19.snd; - ret[17U] = r15_19.thd; - ret[18U] = r15_19.f3; - ret[19U] = r15_19.f4; -} - -void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret); + /* Here we could also do, the following, but it slows F* down: [r0_4.0, + * r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, + * r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, + * r15_19.2, r15_19.3, r15_19.4 ] If we can fix the F* for this, the code + * would be more compact. */ + uint8_t result[20U] = {0U}; + result[0U] = r0_4.fst; + result[1U] = r0_4.snd; + result[2U] = r0_4.thd; + result[3U] = r0_4.f3; + result[4U] = r0_4.f4; + result[5U] = r5_9.fst; + result[6U] = r5_9.snd; + result[7U] = r5_9.thd; + result[8U] = r5_9.f3; + result[9U] = r5_9.f4; + result[10U] = r10_14.fst; + result[11U] = r10_14.snd; + result[12U] = r10_14.thd; + result[13U] = r10_14.f3; + result[14U] = r10_14.f4; + result[15U] = r15_19.fst; + result[16U] = r15_19.snd; + result[17U] = r15_19.thd; + result[18U] = r15_19.f3; + result[19U] = r15_19.f4; + memcpy(ret, result, (size_t)20U * sizeof(uint8_t)); } /** @@ -2045,7 +1958,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_10_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_10(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret); } KRML_MUSTINLINE int16_t_x8 @@ -2114,29 +2027,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -2145,7 +2054,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_10(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a); } KRML_MUSTINLINE uint8_t_x3 @@ -2187,36 +2096,32 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12( uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, int16_t)); - ret[0U] = r0_2.fst; - ret[1U] = r0_2.snd; - ret[2U] = r0_2.thd; - ret[3U] = r3_5.fst; - ret[4U] = r3_5.snd; - ret[5U] = r3_5.thd; - ret[6U] = r6_8.fst; - ret[7U] = r6_8.snd; - ret[8U] = r6_8.thd; - ret[9U] = r9_11.fst; - ret[10U] = r9_11.snd; - ret[11U] = r9_11.thd; - ret[12U] = r12_14.fst; - ret[13U] = r12_14.snd; - ret[14U] = r12_14.thd; - ret[15U] = r15_17.fst; - ret[16U] = r15_17.snd; - ret[17U] = r15_17.thd; - ret[18U] = r18_20.fst; - ret[19U] = r18_20.snd; - ret[20U] = r18_20.thd; - ret[21U] = r21_23.fst; - ret[22U] = r21_23.snd; - ret[23U] = r21_23.thd; -} - -void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret); + uint8_t result[24U] = {0U}; + result[0U] = r0_2.fst; + result[1U] = r0_2.snd; + result[2U] = r0_2.thd; + result[3U] = r3_5.fst; + result[4U] = r3_5.snd; + result[5U] = r3_5.thd; + result[6U] = r6_8.fst; + result[7U] = r6_8.snd; + result[8U] = r6_8.thd; + result[9U] = r9_11.fst; + result[10U] = r9_11.snd; + result[11U] = r9_11.thd; + result[12U] = r12_14.fst; + result[13U] = r12_14.snd; + result[14U] = r12_14.thd; + result[15U] = r15_17.fst; + result[16U] = r15_17.snd; + result[17U] = r15_17.thd; + result[18U] = r18_20.fst; + result[19U] = r18_20.snd; + result[20U] = r18_20.thd; + result[21U] = r21_23.fst; + result[22U] = r21_23.snd; + result[23U] = r21_23.thd; + memcpy(ret, result, (size_t)24U * sizeof(uint8_t)); } /** @@ -2226,7 +2131,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} void libcrux_ml_kem_vector_portable_serialize_12_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_12(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret); } KRML_MUSTINLINE int16_t_x2 @@ -2264,29 +2169,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { int16_t_x2 v14_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_1.fst; - lit.elements[1U] = v0_1.snd; - lit.elements[2U] = v2_3.fst; - lit.elements[3U] = v2_3.snd; - lit.elements[4U] = v4_5.fst; - lit.elements[5U] = v4_5.snd; - lit.elements[6U] = v6_7.fst; - lit.elements[7U] = v6_7.snd; - lit.elements[8U] = v8_9.fst; - lit.elements[9U] = v8_9.snd; - lit.elements[10U] = v10_11.fst; - lit.elements[11U] = v10_11.snd; - lit.elements[12U] = v12_13.fst; - lit.elements[13U] = v12_13.snd; - lit.elements[14U] = v14_15.fst; - lit.elements[15U] = v14_15.snd; - return lit; -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector re = + libcrux_ml_kem_vector_portable_vector_type_zero(); + re.elements[0U] = v0_1.fst; + re.elements[1U] = v0_1.snd; + re.elements[2U] = v2_3.fst; + re.elements[3U] = v2_3.snd; + re.elements[4U] = v4_5.fst; + re.elements[5U] = v4_5.snd; + re.elements[6U] = v6_7.fst; + re.elements[7U] = v6_7.snd; + re.elements[8U] = v8_9.fst; + re.elements[9U] = v8_9.snd; + re.elements[10U] = v10_11.fst; + re.elements[11U] = v10_11.snd; + re.elements[12U] = v12_13.fst; + re.elements[13U] = v12_13.snd; + re.elements[14U] = v14_15.fst; + re.elements[15U] = v14_15.snd; + return re; } /** @@ -2295,7 +2196,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_12(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a); } KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( @@ -2380,15 +2281,15 @@ libcrux_ml_kem_vector_portable_vector_type_clone_3b( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_ef_8c(void) { +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_d6_8c(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d(); lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d(); @@ -2409,6 +2310,12 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_ef_8c(void) { return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -2417,7 +2324,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_to_reduced_ring_element_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -2436,9 +2343,10 @@ deserialize_to_reduced_ring_element_8c(Eurydice_slice serialized) { A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1568 - K= 4 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_d0( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f0( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { for (size_t i = (size_t)0U; @@ -2457,25 +2365,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_d0( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1568 - K= 4 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_d0( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_5f( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_8c();); - deserialize_ring_elements_reduced_d0(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[4U]; - memcpy( - result, deserialized_pk, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + deserialized_pk[i] = ZERO_d6_8c();); + deserialize_ring_elements_reduced_5f0(public_key, deserialized_pk); memcpy( - ret, result, + ret, deserialized_pk, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } @@ -2485,13 +2396,13 @@ with const generics - SHIFT_BY= 15 */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -shift_right_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { +shift_right_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15; + v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15; } - return vec; + return v; } /** @@ -2526,13 +2437,13 @@ to_unsigned_representative_8c( } /** -A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -to_unsigned_field_modulus_8c( +to_unsigned_field_element_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector result = to_unsigned_representative_8c(a); @@ -2552,7 +2463,7 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_8c( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_field_modulus_8c(re->coefficients[i0]); + to_unsigned_field_element_8c(re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -2636,6 +2547,13 @@ static KRML_MUSTINLINE void serialize_public_key_00( memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2646,7 +2564,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_00(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U]; - deserialize_ring_elements_reduced_out_d0( + deserialize_ring_elements_reduced_out_5f( Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U, uint8_t, size_t), deserialized_pk); @@ -2674,6 +2592,13 @@ static KRML_MUSTINLINE void H_f1_ac(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_portable_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] @@ -2724,10 +2649,10 @@ with const generics */ static IndCpaPrivateKeyUnpacked_af default_1a_d0(void) { IndCpaPrivateKeyUnpacked_af lit; - lit.secret_as_ntt[0U] = ZERO_ef_8c(); - lit.secret_as_ntt[1U] = ZERO_ef_8c(); - lit.secret_as_ntt[2U] = ZERO_ef_8c(); - lit.secret_as_ntt[3U] = ZERO_ef_8c(); + lit.secret_as_ntt[0U] = ZERO_d6_8c(); + lit.secret_as_ntt[1U] = ZERO_d6_8c(); + lit.secret_as_ntt[2U] = ZERO_d6_8c(); + lit.secret_as_ntt[3U] = ZERO_d6_8c(); return lit; } @@ -2757,29 +2682,29 @@ with const generics static IndCpaPublicKeyUnpacked_af default_8d_d0(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - uu____0[i] = ZERO_ef_8c();); + uu____0[i] = ZERO_d6_8c();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_af lit; memcpy( lit.t_as_ntt, uu____0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_8c(); - lit.A[0U][1U] = ZERO_ef_8c(); - lit.A[0U][2U] = ZERO_ef_8c(); - lit.A[0U][3U] = ZERO_ef_8c(); - lit.A[1U][0U] = ZERO_ef_8c(); - lit.A[1U][1U] = ZERO_ef_8c(); - lit.A[1U][2U] = ZERO_ef_8c(); - lit.A[1U][3U] = ZERO_ef_8c(); - lit.A[2U][0U] = ZERO_ef_8c(); - lit.A[2U][1U] = ZERO_ef_8c(); - lit.A[2U][2U] = ZERO_ef_8c(); - lit.A[2U][3U] = ZERO_ef_8c(); - lit.A[3U][0U] = ZERO_ef_8c(); - lit.A[3U][1U] = ZERO_ef_8c(); - lit.A[3U][2U] = ZERO_ef_8c(); - lit.A[3U][3U] = ZERO_ef_8c(); + lit.A[0U][0U] = ZERO_d6_8c(); + lit.A[0U][1U] = ZERO_d6_8c(); + lit.A[0U][2U] = ZERO_d6_8c(); + lit.A[0U][3U] = ZERO_d6_8c(); + lit.A[1U][0U] = ZERO_d6_8c(); + lit.A[1U][1U] = ZERO_d6_8c(); + lit.A[1U][2U] = ZERO_d6_8c(); + lit.A[1U][3U] = ZERO_d6_8c(); + lit.A[2U][0U] = ZERO_d6_8c(); + lit.A[2U][1U] = ZERO_d6_8c(); + lit.A[2U][2U] = ZERO_d6_8c(); + lit.A[2U][3U] = ZERO_d6_8c(); + lit.A[3U][0U] = ZERO_d6_8c(); + lit.A[3U][1U] = ZERO_d6_8c(); + lit.A[3U][2U] = ZERO_d6_8c(); + lit.A[3U][3U] = ZERO_d6_8c(); return lit; } @@ -2832,12 +2757,11 @@ typedef struct PortableHash_44_s { /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics - K= 4 */ static KRML_MUSTINLINE PortableHash_44 -shake128_init_absorb_final_ac(uint8_t input[4U][34U]) { +shake128_init_absorb_ac(uint8_t input[4U][34U]) { libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, @@ -2863,25 +2787,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const generics - K= 4 */ static KRML_MUSTINLINE PortableHash_44 -shake128_init_absorb_final_f1_ac(uint8_t input[4U][34U]) { +shake128_init_absorb_f1_ac(uint8_t input[4U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[4U][34U]; memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_ac(copy_of_input); + return shake128_init_absorb_ac(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const +generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_ac( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_ac( PortableHash_44 *st, uint8_t ret[4U][504U]) { uint8_t out[4U][504U] = {{0U}}; KRML_MAYBE_FOR4( @@ -2898,13 +2822,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1 -with const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with +const generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_ac( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_ac( PortableHash_44 *self, uint8_t ret[4U][504U]) { - shake128_squeeze_first_three_blocks_ac(self, ret); + shake128_squeeze_three_blocks_ac(self, ret); } /** @@ -2989,12 +2913,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_ac( - PortableHash_44 *st, uint8_t ret[4U][168U]) { +static KRML_MUSTINLINE void shake128_squeeze_block_ac(PortableHash_44 *st, + uint8_t ret[4U][168U]) { uint8_t out[4U][168U] = {{0U}}; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; @@ -3010,13 +2934,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const generics - K= 4 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_ac( +static KRML_MUSTINLINE void shake128_squeeze_block_f1_ac( PortableHash_44 *self, uint8_t ret[4U][168U]) { - shake128_squeeze_next_block_ac(self, ret); + shake128_squeeze_block_ac(self, ret); } /** @@ -3102,17 +3026,17 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff0( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef +A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -from_i16_array_ef_8c(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); +from_i16_array_d6_8c(Eurydice_slice a) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -3134,7 +3058,7 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b( int16_t s[272U]) { - return from_i16_array_ef_8c( + return from_i16_array_d6_8c( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -3153,9 +3077,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seeds[4U][34U]; memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); - PortableHash_44 xof_state = shake128_init_absorb_final_f1_ac(copy_of_seeds); + PortableHash_44 xof_state = shake128_init_absorb_f1_ac(copy_of_seeds); uint8_t randomness0[4U][504U]; - shake128_squeeze_first_three_blocks_f1_ac(&xof_state, randomness0); + shake128_squeeze_three_blocks_f1_ac(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[4U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U])); @@ -3170,7 +3094,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b( break; } else { uint8_t randomness[4U][168U]; - shake128_squeeze_next_block_f1_ac(&xof_state, randomness); + shake128_squeeze_block_f1_ac(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[4U][168U]; memcpy(copy_of_randomness, randomness, @@ -3218,13 +3142,14 @@ static KRML_MUSTINLINE void sample_matrix_A_2b( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)4U, sampled, + (size_t)4U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), libcrux_ml_kem_polynomial_PolynomialRingElement_1d); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -3264,6 +3189,55 @@ static KRML_MUSTINLINE void PRFxN_f1_44(uint8_t (*input)[33U], PRFxN_44(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -3305,7 +3279,7 @@ sample_from_binomial_distribution_2_8c(Eurydice_slice randomness) { sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_ef_8c( + return from_i16_array_d6_8c( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3349,7 +3323,7 @@ sample_from_binomial_distribution_3_8c(Eurydice_slice randomness) { sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_ef_8c( + return from_i16_array_d6_8c( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3440,13 +3414,7 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_8c( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; - i0 < (size_t)128U >> - (uint32_t) /* The semicolon and parentheses at the end of loop are a - workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ - layer; - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; size_t offset = round * step * (size_t)2U; @@ -3457,7 +3425,7 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = ntt_layer_int_vec_step_8c( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; @@ -3480,7 +3448,7 @@ static KRML_MUSTINLINE void ntt_at_layer_3_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); re->coefficients[round] = uu____0;); } @@ -3498,8 +3466,9 @@ static KRML_MUSTINLINE void ntt_at_layer_2_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); zeta_i[0U] = zeta_i[0U] + (size_t)1U;); } @@ -3517,32 +3486,33 @@ static KRML_MUSTINLINE void ntt_at_layer_1_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); zeta_i[0U] = zeta_i[0U] + (size_t)3U;); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void poly_barrett_reduce_ef_8c( +static KRML_MUSTINLINE void poly_barrett_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -3571,7 +3541,7 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_8c( ntt_at_layer_3_8c(&zeta_i, re); ntt_at_layer_2_8c(&zeta_i, re); ntt_at_layer_1_8c(&zeta_i, re); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } /** @@ -3632,7 +3602,7 @@ static KRML_MUSTINLINE tuple_dd0 sample_vector_cbd_then_ntt_out_3b( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_8c();); + re_as_ntt[i] = ZERO_d6_8c();); libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -3651,55 +3621,88 @@ static KRML_MUSTINLINE tuple_dd0 sample_vector_cbd_then_ntt_out_3b( return lit; } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -ntt_multiply_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, +ntt_multiply_d6_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - * error while extracting hax_debug_debug_assert!(lhs .coefficients - * .into_iter() .all(|coefficient| coefficient >= 0 && coefficient < 4096)); - */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_ef_8c(); + /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| + * coefficient >= 0 && coefficient < 4096)); */ + libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_ntt_multiply_0d( &self->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)3U]); out.coefficients[i0] = uu____0; } return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_d0( +static KRML_MUSTINLINE void add_to_ring_element_d6_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { for (size_t i = (size_t)0U; @@ -3737,23 +3740,21 @@ to_standard_domain_8c( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_standard_error_reduce_ef_8c( +static KRML_MUSTINLINE void add_standard_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -3793,7 +3794,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -3806,10 +3807,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_d0(&t_as_ntt[i0], &product); + ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_d0(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_8c(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -3911,6 +3912,9 @@ generate_keypair_151(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] @@ -3998,13 +4002,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f81(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_83 private_key = - libcrux_ml_kem_types_from_7f_39(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_39(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_83 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1568U]; memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_94( - uu____2, libcrux_ml_kem_types_from_5a_af(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_94( + uu____2, libcrux_ml_kem_types_from_40_af(copy_of_public_key)); } /** @@ -4025,6 +4029,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_03(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1536 +- K= 4 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_0d( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = + deserialize_to_reduced_ring_element_8c(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4038,7 +4068,7 @@ static KRML_MUSTINLINE tuple_dd0 sample_ring_element_cbd_3b(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - error_1[i] = ZERO_ef_8c();); + error_1[i] = ZERO_d6_8c();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -4113,10 +4143,13 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_1_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); zeta_i[0U] = zeta_i[0U] - (size_t)3U;); } @@ -4134,8 +4167,9 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_2_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); zeta_i[0U] = zeta_i[0U] - (size_t)1U;); } @@ -4153,7 +4187,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_3_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); re->coefficients[round] = uu____0;); } @@ -4208,7 +4242,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = inv_ntt_layer_int_vec_step_reduce_8c( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; @@ -4237,29 +4271,27 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_d0( invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_error_reduce_ef_8c( +static KRML_MUSTINLINE void add_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -4275,6 +4307,9 @@ static KRML_MUSTINLINE void add_error_reduce_ef_8c( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4288,7 +4323,7 @@ static KRML_MUSTINLINE void compute_vector_u_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - result[i] = ZERO_ef_8c();); + result[i] = ZERO_d6_8c();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4308,11 +4343,11 @@ static KRML_MUSTINLINE void compute_vector_u_d0( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_d0(&result[i1], &product); + ntt_multiply_d6_8c(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_d0(&result[i1], &product); } invert_ntt_montgomery_d0(&result[i1]); - add_error_reduce_ef_8c(&result[i1], &error_1[i1]); + add_error_reduce_d6_8c(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -4345,7 +4380,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_then_decompress_message_8c(uint8_t serialized[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4363,25 +4398,21 @@ deserialize_then_decompress_message_8c(uint8_t serialized[32U]) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -add_message_error_reduce_ef_8c( +add_message_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_normal_form = @@ -4418,6 +4449,9 @@ add_message_error_reduce_ef_8c( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4430,13 +4464,13 @@ compute_ring_element_v_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_d0(&result, &product);); + ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_d0(&result, &product);); invert_ntt_montgomery_d0(&result); - result = add_message_error_reduce_ef_8c(error_2, message, result); + result = add_message_error_reduce_d6_8c(error_2, message, result); return result; } @@ -4468,8 +4502,8 @@ with const generics - COEFFICIENT_BITS= 10 */ static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_ef(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return compress_ef(v); } /** @@ -4500,8 +4534,8 @@ with const generics - COEFFICIENT_BITS= 11 */ static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_c4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return compress_c4(v); } /** @@ -4517,7 +4551,7 @@ static KRML_MUSTINLINE void compress_then_serialize_11_54( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_c4(to_unsigned_representative_8c(re->coefficients[i0])); + compress_0d_c4(to_unsigned_field_element_8c(re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -4607,8 +4641,8 @@ with const generics - COEFFICIENT_BITS= 4 */ static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_d1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return compress_d1(v); } /** @@ -4628,10 +4662,7 @@ static KRML_MUSTINLINE void compress_then_serialize_4_8c( i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_d1(to_unsigned_field_modulus_8c( - re.coefficients[/* NOTE: Using `$serialized` in loop_invariant - doesn't work here */ - i0])); + compress_0d_d1(to_unsigned_field_element_8c(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); Eurydice_slice_copy( @@ -4669,8 +4700,8 @@ with const generics - COEFFICIENT_BITS= 5 */ static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_f4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return compress_f4(v); } /** @@ -4690,7 +4721,7 @@ static KRML_MUSTINLINE void compress_then_serialize_5_8c( i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = - compress_0d_f4(to_unsigned_representative_8c(re.coefficients[i0])); + compress_0d_f4(to_unsigned_field_element_8c(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); Eurydice_slice_copy( @@ -4818,7 +4849,7 @@ static KRML_MUSTINLINE void encrypt_2a1(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[1568U]) { IndCpaPublicKeyUnpacked_af unpacked_public_key = default_8d_d0(); - deserialize_ring_elements_reduced_d0( + deserialize_ring_elements_reduced_0d( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1536U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -4894,7 +4925,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1( size_t); uint8_t ret[32U]; H_f1_ac(Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), + (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -4908,7 +4939,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), uint8_t); + (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -4918,7 +4949,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1( uint8_t copy_of_ciphertext[1568U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_64 ciphertext0 = - libcrux_ml_kem_types_from_01_af(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_af(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_60(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_64 uu____5 = ciphertext0; @@ -4940,7 +4971,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_to_uncompressed_ring_element_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -4964,7 +4995,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_8c();); + secret_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -5029,14 +5060,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_then_decompress_10_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); - LowStar_Ignore_ignore( - Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)16U, re.coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector), - libcrux_ml_kem_vector_portable_vector_type_PortableVector), - size_t, void *); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; @@ -5096,7 +5120,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_then_decompress_11_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; @@ -5138,7 +5162,7 @@ static KRML_MUSTINLINE void ntt_vector_u_5e( ntt_at_layer_3_8c(&zeta_i, re); ntt_at_layer_2_8c(&zeta_i, re); ntt_at_layer_1_8c(&zeta_i, re); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } /** @@ -5154,7 +5178,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_00( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_8c();); + u_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), @@ -5225,7 +5249,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_then_decompress_4_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; @@ -5285,7 +5309,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialize_then_decompress_5_8c(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; @@ -5314,23 +5338,19 @@ deserialize_then_decompress_ring_element_v_9f(Eurydice_slice serialized) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -subtract_reduce_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, +subtract_reduce_d6_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_normal_form = @@ -5345,6 +5365,12 @@ subtract_reduce_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5356,13 +5382,13 @@ compute_message_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_d0(&result, &product);); + ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_d0(&result, &product);); invert_ntt_montgomery_d0(&result); - result = subtract_reduce_ef_8c(v, result); + result = subtract_reduce_d6_8c(v, result); return result; } @@ -5378,7 +5404,7 @@ static KRML_MUSTINLINE void compress_then_serialize_message_8c( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_field_modulus_8c(re.coefficients[i0]); + to_unsigned_field_element_8c(re.coefficients[i0]); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_compressed = libcrux_ml_kem_vector_portable_compress_1_0d(coefficient); @@ -5540,7 +5566,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_621( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_af(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_af(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_f1_44(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), @@ -5556,26 +5582,27 @@ void libcrux_ml_kem_ind_cca_decapsulate_621( kdf_d8_60(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_60(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_60(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_af(ciphertext), + libcrux_ml_kem_types_as_ref_fd_af(ciphertext), Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 800 - K= 2 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_a0( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1e( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { for (size_t i = (size_t)0U; @@ -5594,25 +5621,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_a0( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 800 - K= 2 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_a0( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1e( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_8c();); - deserialize_ring_elements_reduced_a0(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[2U]; - memcpy( - result, deserialized_pk, - (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + deserialized_pk[i] = ZERO_d6_8c();); + deserialize_ring_elements_reduced_1e(public_key, deserialized_pk); memcpy( - ret, result, + ret, deserialized_pk, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } @@ -5687,6 +5717,13 @@ static KRML_MUSTINLINE void serialize_public_key_86( memcpy(ret, public_key_serialized, (size_t)800U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5697,7 +5734,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_86(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[2U]; - deserialize_ring_elements_reduced_out_a0( + deserialize_ring_elements_reduced_out_1e( Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U, uint8_t, size_t), deserialized_pk); @@ -5725,6 +5762,13 @@ static KRML_MUSTINLINE void H_f1_fd(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_portable_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$2size_t]] @@ -5775,8 +5819,8 @@ with const generics */ static IndCpaPrivateKeyUnpacked_d4 default_1a_a0(void) { IndCpaPrivateKeyUnpacked_d4 lit; - lit.secret_as_ntt[0U] = ZERO_ef_8c(); - lit.secret_as_ntt[1U] = ZERO_ef_8c(); + lit.secret_as_ntt[0U] = ZERO_d6_8c(); + lit.secret_as_ntt[1U] = ZERO_d6_8c(); return lit; } @@ -5806,17 +5850,17 @@ with const generics static IndCpaPublicKeyUnpacked_d4 default_8d_a0(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - uu____0[i] = ZERO_ef_8c();); + uu____0[i] = ZERO_d6_8c();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_d4 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_8c(); - lit.A[0U][1U] = ZERO_ef_8c(); - lit.A[1U][0U] = ZERO_ef_8c(); - lit.A[1U][1U] = ZERO_ef_8c(); + lit.A[0U][0U] = ZERO_d6_8c(); + lit.A[0U][1U] = ZERO_d6_8c(); + lit.A[1U][0U] = ZERO_d6_8c(); + lit.A[1U][1U] = ZERO_d6_8c(); return lit; } @@ -5869,12 +5913,11 @@ typedef struct PortableHash_cf_s { /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics - K= 2 */ static KRML_MUSTINLINE PortableHash_cf -shake128_init_absorb_final_fd(uint8_t input[2U][34U]) { +shake128_init_absorb_fd(uint8_t input[2U][34U]) { libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[2U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, @@ -5900,25 +5943,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const generics - K= 2 */ static KRML_MUSTINLINE PortableHash_cf -shake128_init_absorb_final_f1_fd(uint8_t input[2U][34U]) { +shake128_init_absorb_f1_fd(uint8_t input[2U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[2U][34U]; memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_fd(copy_of_input); + return shake128_init_absorb_fd(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const +generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_fd( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_fd( PortableHash_cf *st, uint8_t ret[2U][504U]) { uint8_t out[2U][504U] = {{0U}}; KRML_MAYBE_FOR2( @@ -5935,13 +5978,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1 -with const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with +const generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_fd( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_fd( PortableHash_cf *self, uint8_t ret[2U][504U]) { - shake128_squeeze_first_three_blocks_fd(self, ret); + shake128_squeeze_three_blocks_fd(self, ret); } /** @@ -6026,12 +6069,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_64( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_fd( - PortableHash_cf *st, uint8_t ret[2U][168U]) { +static KRML_MUSTINLINE void shake128_squeeze_block_fd(PortableHash_cf *st, + uint8_t ret[2U][168U]) { uint8_t out[2U][168U] = {{0U}}; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; @@ -6047,13 +6090,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const generics - K= 2 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_fd( +static KRML_MUSTINLINE void shake128_squeeze_block_f1_fd( PortableHash_cf *self, uint8_t ret[2U][168U]) { - shake128_squeeze_next_block_fd(self, ret); + shake128_squeeze_block_fd(self, ret); } /** @@ -6145,7 +6188,7 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b0( int16_t s[272U]) { - return from_i16_array_ef_8c( + return from_i16_array_d6_8c( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -6164,9 +6207,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b0( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seeds[2U][34U]; memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); - PortableHash_cf xof_state = shake128_init_absorb_final_f1_fd(copy_of_seeds); + PortableHash_cf xof_state = shake128_init_absorb_f1_fd(copy_of_seeds); uint8_t randomness0[2U][504U]; - shake128_squeeze_first_three_blocks_f1_fd(&xof_state, randomness0); + shake128_squeeze_three_blocks_f1_fd(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[2U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U])); @@ -6181,7 +6224,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b0( break; } else { uint8_t randomness[2U][168U]; - shake128_squeeze_next_block_f1_fd(&xof_state, randomness); + shake128_squeeze_block_f1_fd(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[2U][168U]; memcpy(copy_of_randomness, randomness, @@ -6229,13 +6272,14 @@ static KRML_MUSTINLINE void sample_matrix_A_2b0( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)2U, sampled, + (size_t)2U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), libcrux_ml_kem_polynomial_PolynomialRingElement_1d); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -6344,7 +6388,7 @@ static KRML_MUSTINLINE tuple_400 sample_vector_cbd_then_ntt_out_3b0( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_8c();); + re_as_ntt[i] = ZERO_d6_8c();); libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -6363,18 +6407,22 @@ static KRML_MUSTINLINE tuple_400 sample_vector_cbd_then_ntt_out_3b0( return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 2 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_a0( +static KRML_MUSTINLINE void add_to_ring_element_d6_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { for (size_t i = (size_t)0U; @@ -6418,7 +6466,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -6431,10 +6479,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_a0(&t_as_ntt[i0], &product); + ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_a0(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_8c(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -6536,6 +6584,9 @@ generate_keypair_150(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$2size_t]] @@ -6623,13 +6674,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f80(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_fa private_key = - libcrux_ml_kem_types_from_7f_2a(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_2a(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_fa uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[800U]; memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_fa( - uu____2, libcrux_ml_kem_types_from_5a_4d(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_fa( + uu____2, libcrux_ml_kem_types_from_40_4d(copy_of_public_key)); } /** @@ -6650,6 +6701,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_10(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 768 +- K= 2 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = + deserialize_to_reduced_ring_element_8c(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN with const generics @@ -6695,7 +6772,7 @@ static KRML_MUSTINLINE tuple_400 sample_ring_element_cbd_3b0(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - error_1[i] = ZERO_ef_8c();); + error_1[i] = ZERO_d6_8c();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -6764,9 +6841,12 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_a0( invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6780,7 +6860,7 @@ static KRML_MUSTINLINE void compute_vector_u_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - result[i] = ZERO_ef_8c();); + result[i] = ZERO_d6_8c();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -6800,17 +6880,20 @@ static KRML_MUSTINLINE void compute_vector_u_a0( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_a0(&result[i1], &product); + ntt_multiply_d6_8c(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_a0(&result[i1], &product); } invert_ntt_montgomery_a0(&result[i1]); - add_error_reduce_ef_8c(&result[i1], &error_1[i1]); + add_error_reduce_d6_8c(&result[i1], &error_1[i1]); } memcpy( ret, result, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6823,13 +6906,13 @@ compute_ring_element_v_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_a0(&result, &product);); + ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_a0(&result, &product);); invert_ntt_montgomery_a0(&result); - result = add_message_error_reduce_ef_8c(error_2, message, result); + result = add_message_error_reduce_d6_8c(error_2, message, result); return result; } @@ -6846,7 +6929,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_ff( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_ef(to_unsigned_field_modulus_8c(re->coefficients[i0])); + compress_0d_ef(to_unsigned_field_element_8c(re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -6854,9 +6937,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_ff( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } - uint8_t result[320U]; - memcpy(result, serialized, (size_t)320U * sizeof(uint8_t)); - memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -7029,7 +7110,7 @@ static KRML_MUSTINLINE void encrypt_2a0(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[768U]) { IndCpaPublicKeyUnpacked_d4 unpacked_public_key = default_8d_a0(); - deserialize_ring_elements_reduced_a0( + deserialize_ring_elements_reduced_5f( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)768U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -7105,7 +7186,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0( size_t); uint8_t ret[32U]; H_f1_fd(Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), + (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -7119,7 +7200,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), uint8_t); + (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -7129,7 +7210,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0( uint8_t copy_of_ciphertext[768U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_1a ciphertext0 = - libcrux_ml_kem_types_from_01_d0(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_d0(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_30(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_1a uu____5 = ciphertext0; @@ -7154,7 +7235,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_8c();); + secret_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -7201,7 +7282,7 @@ static KRML_MUSTINLINE void ntt_vector_u_0a( ntt_at_layer_3_8c(&zeta_i, re); ntt_at_layer_2_8c(&zeta_i, re); ntt_at_layer_1_8c(&zeta_i, re); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } /** @@ -7217,7 +7298,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_86( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_8c();); + u_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t), @@ -7254,6 +7335,12 @@ deserialize_then_decompress_ring_element_v_d0(Eurydice_slice serialized) { return deserialize_then_decompress_4_8c(serialized); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7265,13 +7352,13 @@ compute_message_a0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_a0(&result, &product);); + ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_a0(&result, &product);); invert_ntt_montgomery_a0(&result); - result = subtract_reduce_ef_8c(v, result); + result = subtract_reduce_d6_8c(v, result); return result; } @@ -7409,7 +7496,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_d0(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_d0(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_f1_49(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), @@ -7425,26 +7512,27 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( kdf_d8_30(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_30(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_30(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_d0(ciphertext), + libcrux_ml_kem_types_as_ref_fd_d0(ciphertext), Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1b( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_c0( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { for (size_t i = (size_t)0U; @@ -7463,25 +7551,28 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1b( } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1b( +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_c0( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = ZERO_ef_8c();); - deserialize_ring_elements_reduced_1b(public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; + deserialized_pk[i] = ZERO_d6_8c();); + deserialize_ring_elements_reduced_c0(public_key, deserialized_pk); memcpy( - result, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - memcpy( - ret, result, + ret, deserialized_pk, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } @@ -7556,6 +7647,13 @@ static KRML_MUSTINLINE void serialize_public_key_6c( memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7566,7 +7664,7 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_6c(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - deserialize_ring_elements_reduced_out_1b( + deserialize_ring_elements_reduced_out_c0( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t), deserialized_pk); @@ -7594,6 +7692,13 @@ static KRML_MUSTINLINE void H_f1_e0(Eurydice_slice input, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_portable_H(input, ret); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] @@ -7644,9 +7749,9 @@ with const generics */ static IndCpaPrivateKeyUnpacked_a0 default_1a_1b(void) { IndCpaPrivateKeyUnpacked_a0 lit; - lit.secret_as_ntt[0U] = ZERO_ef_8c(); - lit.secret_as_ntt[1U] = ZERO_ef_8c(); - lit.secret_as_ntt[2U] = ZERO_ef_8c(); + lit.secret_as_ntt[0U] = ZERO_d6_8c(); + lit.secret_as_ntt[1U] = ZERO_d6_8c(); + lit.secret_as_ntt[2U] = ZERO_d6_8c(); return lit; } @@ -7676,22 +7781,22 @@ with const generics static IndCpaPublicKeyUnpacked_a0 default_8d_1b(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - uu____0[i] = ZERO_ef_8c();); + uu____0[i] = ZERO_d6_8c();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_a0 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_ef_8c(); - lit.A[0U][1U] = ZERO_ef_8c(); - lit.A[0U][2U] = ZERO_ef_8c(); - lit.A[1U][0U] = ZERO_ef_8c(); - lit.A[1U][1U] = ZERO_ef_8c(); - lit.A[1U][2U] = ZERO_ef_8c(); - lit.A[2U][0U] = ZERO_ef_8c(); - lit.A[2U][1U] = ZERO_ef_8c(); - lit.A[2U][2U] = ZERO_ef_8c(); + lit.A[0U][0U] = ZERO_d6_8c(); + lit.A[0U][1U] = ZERO_d6_8c(); + lit.A[0U][2U] = ZERO_d6_8c(); + lit.A[1U][0U] = ZERO_d6_8c(); + lit.A[1U][1U] = ZERO_d6_8c(); + lit.A[1U][2U] = ZERO_d6_8c(); + lit.A[2U][0U] = ZERO_d6_8c(); + lit.A[2U][1U] = ZERO_d6_8c(); + lit.A[2U][2U] = ZERO_d6_8c(); return lit; } @@ -7744,12 +7849,11 @@ typedef struct PortableHash_88_s { /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics - K= 3 */ static KRML_MUSTINLINE PortableHash_88 -shake128_init_absorb_final_e0(uint8_t input[3U][34U]) { +shake128_init_absorb_e0(uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, @@ -7775,25 +7879,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const generics - K= 3 */ static KRML_MUSTINLINE PortableHash_88 -shake128_init_absorb_final_f1_e0(uint8_t input[3U][34U]) { +shake128_init_absorb_f1_e0(uint8_t input[3U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[3U][34U]; memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_e0(copy_of_input); + return shake128_init_absorb_e0(copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const +generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_e0( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_e0( PortableHash_88 *st, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; KRML_MAYBE_FOR3( @@ -7810,13 +7914,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1 -with const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with +const generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_e0( +static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_e0( PortableHash_88 *self, uint8_t ret[3U][504U]) { - shake128_squeeze_first_three_blocks_e0(self, ret); + shake128_squeeze_three_blocks_e0(self, ret); } /** @@ -7901,12 +8005,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_89( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_e0( - PortableHash_88 *st, uint8_t ret[3U][168U]) { +static KRML_MUSTINLINE void shake128_squeeze_block_e0(PortableHash_88 *st, + uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; @@ -7922,13 +8026,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const generics - K= 3 */ -static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_e0( +static KRML_MUSTINLINE void shake128_squeeze_block_f1_e0( PortableHash_88 *self, uint8_t ret[3U][168U]) { - shake128_squeeze_next_block_e0(self, ret); + shake128_squeeze_block_e0(self, ret); } /** @@ -8020,7 +8124,7 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b1( int16_t s[272U]) { - return from_i16_array_ef_8c( + return from_i16_array_d6_8c( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -8039,9 +8143,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b1( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seeds[3U][34U]; memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); - PortableHash_88 xof_state = shake128_init_absorb_final_f1_e0(copy_of_seeds); + PortableHash_88 xof_state = shake128_init_absorb_f1_e0(copy_of_seeds); uint8_t randomness0[3U][504U]; - shake128_squeeze_first_three_blocks_f1_e0(&xof_state, randomness0); + shake128_squeeze_three_blocks_f1_e0(&xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[3U][504U]; memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); @@ -8056,7 +8160,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b1( break; } else { uint8_t randomness[3U][168U]; - shake128_squeeze_next_block_f1_e0(&xof_state, randomness); + shake128_squeeze_block_f1_e0(&xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[3U][168U]; memcpy(copy_of_randomness, randomness, @@ -8104,13 +8208,14 @@ static KRML_MUSTINLINE void sample_matrix_A_2b1( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)3U, sampled, + (size_t)3U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), libcrux_ml_kem_polynomial_PolynomialRingElement_1d); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -8208,7 +8313,7 @@ static KRML_MUSTINLINE tuple_230 sample_vector_cbd_then_ntt_out_3b1( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = ZERO_ef_8c();); + re_as_ntt[i] = ZERO_d6_8c();); libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -8227,18 +8332,22 @@ static KRML_MUSTINLINE tuple_230 sample_vector_cbd_then_ntt_out_3b1( return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE void add_to_ring_element_ef_1b( +static KRML_MUSTINLINE void add_to_ring_element_d6_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { for (size_t i = (size_t)0U; @@ -8282,7 +8391,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -8295,10 +8404,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(matrix_element, &s_as_ntt[j]); - add_to_ring_element_ef_1b(&t_as_ntt[i0], &product); + ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]); + add_to_ring_element_d6_1b(&t_as_ntt[i0], &product); } - add_standard_error_reduce_ef_8c(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -8400,6 +8509,9 @@ generate_keypair_15(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] @@ -8487,13 +8599,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f8(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } /** @@ -8514,6 +8626,32 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_9c(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1152 +- K= 3 +*/ +static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b3( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = + deserialize_to_reduced_ring_element_8c(ring_element); + deserialized_pk[i0] = uu____0; + } +} + /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8527,7 +8665,7 @@ static KRML_MUSTINLINE tuple_230 sample_ring_element_cbd_3b1(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = ZERO_ef_8c();); + error_1[i] = ZERO_d6_8c();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -8596,9 +8734,12 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_1b( invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U); invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_ef_8c(re); + poly_barrett_reduce_d6_8c(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8612,7 +8753,7 @@ static KRML_MUSTINLINE void compute_vector_u_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = ZERO_ef_8c();); + result[i] = ZERO_d6_8c();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -8632,17 +8773,20 @@ static KRML_MUSTINLINE void compute_vector_u_1b( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(a_element, &r_as_ntt[j]); - add_to_ring_element_ef_1b(&result[i1], &product); + ntt_multiply_d6_8c(a_element, &r_as_ntt[j]); + add_to_ring_element_d6_1b(&result[i1], &product); } invert_ntt_montgomery_1b(&result[i1]); - add_error_reduce_ef_8c(&result[i1], &error_1[i1]); + add_error_reduce_d6_8c(&result[i1], &error_1[i1]); } memcpy( ret, result, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8655,13 +8799,13 @@ compute_ring_element_v_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_ef_1b(&result, &product);); + ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]); + add_to_ring_element_d6_1b(&result, &product);); invert_ntt_montgomery_1b(&result); - result = add_message_error_reduce_ef_8c(error_2, message, result); + result = add_message_error_reduce_d6_8c(error_2, message, result); return result; } @@ -8809,7 +8953,7 @@ static KRML_MUSTINLINE void encrypt_2a(Eurydice_slice public_key, Eurydice_slice randomness, uint8_t ret[1088U]) { IndCpaPublicKeyUnpacked_a0 unpacked_public_key = default_8d_1b(); - deserialize_ring_elements_reduced_1b( + deserialize_ring_elements_reduced_b3( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1152U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -8885,7 +9029,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( size_t); uint8_t ret[32U]; H_f1_e0(Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -8899,7 +9043,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -8909,7 +9053,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; kdf_d8_d6(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; @@ -8934,7 +9078,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = ZERO_ef_8c();); + secret_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -8967,7 +9111,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = ZERO_ef_8c();); + u_as_ntt[i] = ZERO_d6_8c();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -8993,6 +9137,12 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -9004,13 +9154,13 @@ compute_message_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_ef_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_ef_1b(&result, &product);); + ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); + add_to_ring_element_d6_1b(&result, &product);); invert_ntt_montgomery_1b(&result); - result = subtract_reduce_ef_8c(v, result); + result = subtract_reduce_d6_8c(v, result); return result; } @@ -9148,7 +9298,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; PRF_f1_41(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), @@ -9163,15 +9313,15 @@ void libcrux_ml_kem_ind_cca_decapsulate_62( kdf_d8_d6(Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - kdf_d8_d6(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; + kdf_d8_d6(shared_secret0, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index f8b67001d..08beb8605 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem_portable_H @@ -74,10 +74,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_11( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[22U]); -void libcrux_ml_kem_vector_portable_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -101,10 +97,10 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes); +libcrux_ml_kem_vector_portable_vector_type_zero(void); libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a); +libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -129,9 +125,6 @@ extern const uint8_t libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[256U] [16U]; -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_zero(void); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -169,7 +162,7 @@ libcrux_ml_kem_vector_portable_sub_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -177,11 +170,11 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_multiply_by_constant_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -193,7 +186,7 @@ libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -206,10 +199,11 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ ((int32_t)20159) -#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT ((int32_t)26) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26) -#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R \ - ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \ + ((int32_t)1 << (uint32_t) \ + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) /** Signed Barrett Reduction @@ -222,16 +216,14 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) - Note: The input bound is 28296 to prevent overflow in the multiplication of - quotient by FIELD_MODULUS - + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. */ int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -256,12 +248,10 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) - the absolute value of `o` is bound as follows: - `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 - - In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS + 1664 + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. */ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value); @@ -282,7 +272,7 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -319,7 +309,7 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -327,7 +317,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_1_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v); uint32_t libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( uint8_t n, uint32_t value); @@ -336,13 +326,13 @@ int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( uint8_t coefficient_bits, uint16_t fe); void libcrux_ml_kem_vector_portable_ntt_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -355,8 +345,8 @@ libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -369,8 +359,7 @@ libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -381,13 +370,13 @@ libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta); void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -400,8 +389,8 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -414,8 +403,7 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for @@ -425,10 +413,33 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta); +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, - size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); + size_t i, size_t j, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_multiply( @@ -450,10 +461,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_1( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[2U]); -void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -465,9 +472,6 @@ void libcrux_ml_kem_vector_portable_serialize_1_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -489,10 +493,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_4( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[8U]); -void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -507,9 +507,6 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -532,10 +529,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_5( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[10U]); -void libcrux_ml_kem_vector_portable_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -550,9 +543,6 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -567,10 +557,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_10( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[20U]); -void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -585,9 +571,6 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -608,10 +591,6 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_12( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[24U]); -void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -631,9 +610,6 @@ int16_t_x2 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a); - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index bdbeb3672..824f5182b 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 2713cac33..2b6b4bb8e 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_sha3_avx2.h" @@ -2094,27 +2094,37 @@ static KRML_MUSTINLINE void store_block_ef_3a(__m256i (*a)[5U], } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block with types core_core_arch_x86___m256i with const generics - N= 4 - RATE= 168 */ -static KRML_MUSTINLINE void squeeze_first_block_970( +static KRML_MUSTINLINE void squeeze_next_block_970( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + keccakf1600_a6(s); store_block_ef_3a(s->st, out); } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block + Squeeze another block +*/ +void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + squeeze_next_block_970(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block with types core_core_arch_x86___m256i with const generics - N= 4 - RATE= 168 */ -static KRML_MUSTINLINE void squeeze_next_block_970( +static KRML_MUSTINLINE void squeeze_first_block_970( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { - keccakf1600_a6(s); store_block_ef_3a(s->st, out); } @@ -2154,16 +2164,6 @@ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( squeeze_first_three_blocks_97(s, buf); } -/** - Squeeze another block -*/ -void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, - Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { - Eurydice_slice buf[4U] = {out0, out1, out2, out3}; - squeeze_next_block_970(s, buf); -} - /** A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks with types core_core_arch_x86___m256i diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index dff6d2cc7..b60413063 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_avx2_H @@ -55,16 +55,16 @@ void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3); /** - Squeeze three blocks + Squeeze another block */ -void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( +void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); /** - Squeeze another block + Squeeze three blocks */ -void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( +void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 9fba3cfe9..f9b77fd80 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_internal_H @@ -1425,27 +1425,27 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a( } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block with types uint64_t with const generics - N= 1 - RATE= 168 */ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block with types uint64_t with const generics - N= 1 - RATE= 168 */ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { - libcrux_sha3_generic_keccak_keccakf1600_04(s); libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); } diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index 290cb64db..fde734013 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_sha3_neon.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index cd8ec70fa..1816675a7 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 18a089ceff3ef1a9f6876cd99a9f4f42c0fe05d9 + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_neon_H diff --git a/libcrux-ml-kem/cg/CMakeLists.txt b/libcrux-ml-kem/cg/CMakeLists.txt index ce8ed53c2..e18520d55 100644 --- a/libcrux-ml-kem/cg/CMakeLists.txt +++ b/libcrux-ml-kem/cg/CMakeLists.txt @@ -26,10 +26,10 @@ if(NOT MSVC) endif(NOT MSVC) if((CMAKE_C_COMPILER_ID STREQUAL "Clang" AND - CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR - (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND - CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) - add_compile_options(-Werror -Wframe-larger-than=25344) + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR + (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) + add_compile_options(-Werror -Wframe-larger-than=25344) endif() set(CMAKE_COLOR_DIAGNOSTICS "ON") @@ -95,48 +95,50 @@ target_link_libraries(sha3_test PRIVATE ) # --- Benchmarks -FetchContent_Declare(benchmark - GIT_REPOSITORY https://github.com/google/benchmark.git - GIT_TAG v1.8.4 -) -FetchContent_MakeAvailable(benchmark) - -add_executable(ml_kem_bench - ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc -) -target_link_libraries(ml_kem_bench PRIVATE - benchmark::benchmark -) +if(DEFINED ENV{LIBCRUX_BENCHMARKS}) + FetchContent_Declare(benchmark + GIT_REPOSITORY https://github.com/google/benchmark.git + GIT_TAG v1.8.4 + ) + FetchContent_MakeAvailable(benchmark) -if(DEFINED ENV{SYMCRYPT_PATH}) - message("Symcrypt path: $ENV{SYMCRYPT_PATH}") - add_compile_definitions(LIBCRUX_SYMCRYPT) - target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) - target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) - target_link_libraries(ml_kem_bench PRIVATE symcrypt) -endif(DEFINED ENV{SYMCRYPT_PATH}) + add_executable(ml_kem_bench + ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc + ) + target_link_libraries(ml_kem_bench PRIVATE + benchmark::benchmark + ) -add_executable(ml_kem_keygen - ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc -) -target_link_libraries(ml_kem_keygen PRIVATE - benchmark::benchmark -) + if(DEFINED ENV{SYMCRYPT_PATH}) + message("Symcrypt path: $ENV{SYMCRYPT_PATH}") + add_compile_definitions(LIBCRUX_SYMCRYPT) + target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) + target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) + target_link_libraries(ml_kem_bench PRIVATE symcrypt) + endif(DEFINED ENV{SYMCRYPT_PATH}) -add_executable(ml_kem_encaps - ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc -) -target_link_libraries(ml_kem_encaps PRIVATE - benchmark::benchmark -) + add_executable(ml_kem_keygen + ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc + ) + target_link_libraries(ml_kem_keygen PRIVATE + benchmark::benchmark + ) -if(NOT MSVC) - # We benchmark internal functions here that are inlined and thus not available - # in MSVC. - add_executable(sha3_bench - ${PROJECT_SOURCE_DIR}/benches/sha3.cc + add_executable(ml_kem_encaps + ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc ) - target_link_libraries(sha3_bench PRIVATE + target_link_libraries(ml_kem_encaps PRIVATE benchmark::benchmark ) -endif(NOT MSVC) + + if(NOT MSVC) + # We benchmark internal functions here that are inlined and thus not available + # in MSVC. + add_executable(sha3_bench + ${PROJECT_SOURCE_DIR}/benches/sha3.cc + ) + target_link_libraries(sha3_bench PRIVATE + benchmark::benchmark + ) + endif(NOT MSVC) +endif(DEFINED ENV{LIBCRUX_BENCHMARKS}) diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index 13b6368d7..a05d71620 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d +Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index 408699596..3f9b35cc2 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -17,6 +17,7 @@ extern "C" { #include #include +#include "karamel/endianness.h" #include "karamel/target.h" // SLICES, ARRAYS, ETC. @@ -30,8 +31,6 @@ extern "C" { #define CLITERAL(type) (type) #endif -#define LowStar_Ignore_ignore(e, t, _ret_t) ((void)e) - // We represent a slice as a pair of an (untyped) pointer, along with the length // of the slice, i.e. the number of elements in the slice (this is NOT the // number of bytes). This design choice has two important consequences. @@ -90,7 +89,7 @@ typedef struct { #define Eurydice_slice_copy(dst, src, t) \ memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) #define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \ - ((Eurydice_slice){.ptr = ptr_, .len = len_}) + (CLITERAL(Eurydice_slice){.ptr = ptr_, .len = len_}) #define core_array___core__clone__Clone_for__Array_T__N___20__clone( \ len, src, dst, elem_type, _ret_t) \ @@ -132,18 +131,14 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, // CORE STUFF (conversions, endianness, ...) static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { - memcpy(buf, &v, sizeof(v)); + store64_le(buf, v); } static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { - uint64_t v; - memcpy(&v, buf, sizeof(v)); - return v; + return load64_le(buf); } static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { - uint32_t v; - memcpy(&v, buf, sizeof(v)); - return v; + return load32_le(buf); } static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { diff --git a/libcrux-ml-kem/cg/karamel/endianness.h b/libcrux-ml-kem/cg/karamel/endianness.h new file mode 100644 index 000000000..d59d9854d --- /dev/null +++ b/libcrux-ml-kem/cg/karamel/endianness.h @@ -0,0 +1,228 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 and MIT Licenses. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || \ + defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +#include + +/* ... for OSX */ +#elif defined(__APPLE__) +#include +#define htole64(x) OSSwapHostToLittleInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) + +#define htole16(x) OSSwapHostToLittleInt16(x) +#define le16toh(x) OSSwapLittleToHostInt16(x) +#define htobe16(x) OSSwapHostToBigInt16(x) +#define be16toh(x) OSSwapBigToHostInt16(x) + +#define htole32(x) OSSwapHostToLittleInt32(x) +#define le32toh(x) OSSwapLittleToHostInt32(x) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +#include +#define htole64(x) LE_64(x) +#define le64toh(x) LE_64(x) +#define htobe64(x) BE_64(x) +#define be64toh(x) BE_64(x) + +#define htole16(x) LE_16(x) +#define le16toh(x) LE_16(x) +#define htobe16(x) BE_16(x) +#define be16toh(x) BE_16(x) + +#define htole32(x) LE_32(x) +#define le32toh(x) LE_32(x) +#define htobe32(x) BE_32(x) +#define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +#include +#elif defined(__OpenBSD__) +#include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +#include +#define htobe16(x) _byteswap_ushort(x) +#define htole16(x) (x) +#define be16toh(x) _byteswap_ushort(x) +#define le16toh(x) (x) + +#define htobe32(x) _byteswap_ulong(x) +#define htole32(x) (x) +#define be32toh(x) _byteswap_ulong(x) +#define le32toh(x) (x) + +#define htobe64(x) _byteswap_uint64(x) +#define htole64(x) (x) +#define be64toh(x) _byteswap_uint64(x) +#define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \ + (defined(__GNUC__) || defined(__clang__)) + +#define htobe16(x) __builtin_bswap16(x) +#define htole16(x) (x) +#define be16toh(x) __builtin_bswap16(x) +#define le16toh(x) (x) + +#define htobe32(x) __builtin_bswap32(x) +#define htole32(x) (x) +#define be32toh(x) __builtin_bswap32(x) +#define le32toh(x) (x) + +#define htobe64(x) __builtin_bswap64(x) +#define htole64(x) (x) +#define be64toh(x) __builtin_bswap64(x) +#define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always + * big-endian */ +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \ + defined(_AIX) + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +#define htobe32(x) (x) +#define be32toh(x) (x) +#define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define le32toh(x) (htole32((x))) + +#define htobe64(x) (x) +#define be64toh(x) (x) +#define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +#define htole32(x) (x) +#define le32toh(x) (x) +#define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define be32toh(x) (htobe32((x))) + +#define htole64(x) (x) +#define le64toh(x) (x) +#define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +#error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); } + +inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); } + +inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); } + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index 30f40f051..ed3aa1808 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_core_H @@ -214,14 +214,17 @@ typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s { } libcrux_ml_kem_mlkem768_MlKem768Ciphertext; /** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext#6} + A reference to the raw byte slice. */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_d4 +This function found in impl {libcrux_ml_kem::types::MlKemCiphertext#7} +*/ +/** +A monomorphic instance of libcrux_ml_kem.types.as_slice_07 with const generics - SIZE= 1088 */ -static inline uint8_t *libcrux_ml_kem_types_as_slice_d4_80( +static inline uint8_t *libcrux_ml_kem_types_as_slice_07_80( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { return self->value; } @@ -237,15 +240,15 @@ typedef struct libcrux_ml_kem_types_MlKemPublicKey_30_s { /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPublicKey)#16} +libcrux_ml_kem::types::MlKemPublicKey)#17} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_5a +A monomorphic instance of libcrux_ml_kem.types.from_40 with const generics - SIZE= 1184 */ static inline libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_types_from_5a_d0(uint8_t value[1184U]) { +libcrux_ml_kem_types_from_40_d0(uint8_t value[1184U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1184U]; memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t)); @@ -268,18 +271,21 @@ typedef struct libcrux_ml_kem_mlkem768_MlKem768KeyPair_s { libcrux_ml_kem_types_MlKemPublicKey_30 pk; } libcrux_ml_kem_mlkem768_MlKem768KeyPair; +/** + Create a new [`MlKemKeyPair`] from the secret and public key. +*/ /** This function found in impl -{libcrux_ml_kem::types::MlKemKeyPair#21} +{libcrux_ml_kem::types::MlKemKeyPair} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_3a +A monomorphic instance of libcrux_ml_kem.types.from_17 with const generics - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_types_from_3a_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk, +libcrux_ml_kem_types_from_17_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk, libcrux_ml_kem_types_MlKemPublicKey_30 pk) { return ( CLITERAL(libcrux_ml_kem_mlkem768_MlKem768KeyPair){.sk = sk, .pk = pk}); @@ -287,15 +293,15 @@ libcrux_ml_kem_types_from_3a_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk, /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemPrivateKey)#9} +libcrux_ml_kem::types::MlKemPrivateKey)#10} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_7f +A monomorphic instance of libcrux_ml_kem.types.from_88 with const generics - SIZE= 2400 */ static inline libcrux_ml_kem_types_MlKemPrivateKey_d9 -libcrux_ml_kem_types_from_7f_28(uint8_t value[2400U]) { +libcrux_ml_kem_types_from_88_28(uint8_t value[2400U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[2400U]; memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t)); @@ -351,15 +357,15 @@ typedef struct tuple_c2_s { /** This function found in impl {(core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext)#2} +libcrux_ml_kem::types::MlKemCiphertext)#3} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_01 +A monomorphic instance of libcrux_ml_kem.types.from_fc with const generics - SIZE= 1088 */ static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext -libcrux_ml_kem_types_from_01_80(uint8_t value[1088U]) { +libcrux_ml_kem_types_from_fc_80(uint8_t value[1088U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_value[1088U]; memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); @@ -369,14 +375,17 @@ libcrux_ml_kem_types_from_01_80(uint8_t value[1088U]) { } /** -This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#20} + A reference to the raw byte slice. +*/ +/** +This function found in impl {libcrux_ml_kem::types::MlKemPublicKey#21} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_fd +A monomorphic instance of libcrux_ml_kem.types.as_slice_ba with const generics - SIZE= 1184 */ -static inline uint8_t *libcrux_ml_kem_types_as_slice_fd_d0( +static inline uint8_t *libcrux_ml_kem_types_as_slice_ba_d0( libcrux_ml_kem_types_MlKemPublicKey_30 *self) { return self->value; } @@ -421,14 +430,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_b6( /** This function found in impl {(core::convert::AsRef<@Slice> for -libcrux_ml_kem::types::MlKemCiphertext)#1} +libcrux_ml_kem::types::MlKemCiphertext)#2} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_ref_00 +A monomorphic instance of libcrux_ml_kem.types.as_ref_fd with const generics - SIZE= 1088 */ -static inline Eurydice_slice libcrux_ml_kem_types_as_ref_00_80( +static inline Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t); } diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index 244aa8e45..ac9ffe798 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_ct_ops_H @@ -21,11 +21,17 @@ extern "C" { #include "eurydice_glue.h" #include "libcrux_core.h" +/** + Return 1 if `value` is not zero and 0 otherwise. +*/ static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) { uint16_t value0 = (uint16_t)value; - uint8_t result = - (uint8_t)((uint32_t)core_num__u16_7__wrapping_add(~value0, 1U) >> 8U); - return (uint32_t)result & 1U; + uint16_t result = (((uint32_t)value0 | + (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) & + 0xFFFFU) >> + 8U & + 1U; + return (uint8_t)result; } static KRML_NOINLINE uint8_t @@ -33,15 +39,18 @@ libcrux_ml_kem_constant_time_ops_is_non_zero(uint8_t value) { return libcrux_ml_kem_constant_time_ops_inz(value); } +/** + Return 1 if the bytes of `lhs` and `rhs` do not exactly + match and 0 otherwise. +*/ static inline uint8_t libcrux_ml_kem_constant_time_ops_compare( Eurydice_slice lhs, Eurydice_slice rhs) { uint8_t r = 0U; for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; - uint8_t nr = (uint32_t)r | - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); - r = nr; + r = (uint32_t)r | + ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); } return libcrux_ml_kem_constant_time_ops_is_non_zero(r); } @@ -52,6 +61,10 @@ libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs); } +/** + If `selector` is not zero, return the bytes in `rhs`; return the bytes in + `lhs` otherwise. +*/ static inline void libcrux_ml_kem_constant_time_ops_select_ct( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, uint8_t ret[32U]) { @@ -61,12 +74,10 @@ static inline void libcrux_ml_kem_constant_time_ops_select_ct( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; i++) { size_t i0 = i; - uint8_t outi = - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & - (uint32_t)mask) | - ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & - (uint32_t)~mask); - out[i0] = outi; + out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & + (uint32_t)mask) | + ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & + (uint32_t)~mask); } memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 7a5dafa68..628649fb8 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_H @@ -47,7 +47,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_vec_zero(void) { +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) { return libcrux_intrinsics_avx2_mm256_setzero_si256(); } @@ -57,12 +57,12 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_09(void) { - return libcrux_ml_kem_vector_avx2_vec_zero(); + return libcrux_ml_kem_vector_avx2_zero(); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) { +libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) { return libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array); } @@ -73,18 +73,16 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array) { - return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array); + return libcrux_ml_kem_vector_avx2_from_i16_array(array); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_to_i16_array( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array( __m256i v, int16_t ret[16U]) { int16_t output[16U] = {0U}; libcrux_intrinsics_avx2_mm256_storeu_si256_i16( Eurydice_array_to_slice((size_t)16U, output, int16_t), v); - int16_t result[16U]; - memcpy(result, output, (size_t)16U * sizeof(int16_t)); - memcpy(ret, result, (size_t)16U * sizeof(int16_t)); + memcpy(ret, output, (size_t)16U * sizeof(int16_t)); } /** @@ -94,7 +92,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_09( __m256i x, int16_t ret[16U]) { - libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret); + libcrux_ml_kem_vector_avx2_to_i16_array(x, ret); } KRML_ATTRIBUTE_TARGET("avx2") @@ -133,8 +131,8 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, int16_t constant) { - __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, cv); + return libcrux_intrinsics_avx2_mm256_mullo_epi16( + vector, libcrux_intrinsics_avx2_mm256_set1_epi16(constant)); } /** @@ -151,8 +149,8 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( __m256i vector, int16_t constant) { - __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv); + return libcrux_intrinsics_avx2_mm256_and_si256( + vector, libcrux_intrinsics_avx2_mm256_set1_epi16(constant)); } /** @@ -207,13 +205,13 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) { KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { - __m256i t0 = libcrux_intrinsics_avx2_mm256_mulhi_epi16( + __m256i t = libcrux_intrinsics_avx2_mm256_mulhi_epi16( vector, libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); - __m256i t512 = libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512); - __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16(t0, t512); + __m256i t0 = libcrux_intrinsics_avx2_mm256_add_epi16( + t, libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512)); __m256i quotient = - libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)10, t1, __m256i); + libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)10, t0, __m256i); __m256i quotient_times_field_modulus = libcrux_intrinsics_avx2_mm256_mullo_epi16( quotient, libcrux_intrinsics_avx2_mm256_set1_epi16( @@ -236,20 +234,19 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( __m256i vector, int16_t constant) { - __m256i vec_constant = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); + __m256i constant0 = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); __m256i value_low = - libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, vec_constant); + libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, constant0); __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16( value_low, libcrux_intrinsics_avx2_mm256_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m256i modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m256i k_times_modulus = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus); + __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16( + k, libcrux_intrinsics_avx2_mm256_set1_epi16( + LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); __m256i value_high = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, vec_constant); + libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, constant0); return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); } @@ -313,19 +310,17 @@ libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( - __m256i vec, __m256i constants) { - __m256i value_low = libcrux_intrinsics_avx2_mm256_mullo_epi16(vec, constants); + __m256i v, __m256i c) { + __m256i value_low = libcrux_intrinsics_avx2_mm256_mullo_epi16(v, c); __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16( value_low, libcrux_intrinsics_avx2_mm256_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m256i modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m256i k_times_modulus = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus); - __m256i value_high = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(vec, constants); + __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16( + k, libcrux_intrinsics_avx2_mm256_set1_epi16( + LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); + __m256i value_high = libcrux_intrinsics_avx2_mm256_mulhi_epi16(v, c); return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); } @@ -387,17 +382,17 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m128i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( - __m128i vec, __m128i constants) { - __m128i value_low = libcrux_intrinsics_avx2_mm_mullo_epi16(vec, constants); + __m128i v, __m128i c) { + __m128i value_low = libcrux_intrinsics_avx2_mm_mullo_epi16(v, c); __m128i k = libcrux_intrinsics_avx2_mm_mullo_epi16( value_low, libcrux_intrinsics_avx2_mm_set1_epi16( (int16_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - __m128i modulus = libcrux_intrinsics_avx2_mm_set1_epi16( - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - __m128i k_times_modulus = libcrux_intrinsics_avx2_mm_mulhi_epi16(k, modulus); - __m128i value_high = libcrux_intrinsics_avx2_mm_mulhi_epi16(vec, constants); + __m128i k_times_modulus = libcrux_intrinsics_avx2_mm_mulhi_epi16( + k, libcrux_intrinsics_avx2_mm_set1_epi16( + LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); + __m128i value_high = libcrux_intrinsics_avx2_mm_mulhi_epi16(v, c); return libcrux_intrinsics_avx2_mm_sub_epi16(value_high, k_times_modulus); } @@ -541,9 +536,9 @@ libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(__m256i vector, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) { +libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v) { __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16( - vec, + v, libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t) LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); @@ -551,7 +546,7 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) { k, libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); __m256i value_high = - libcrux_intrinsics_avx2_mm256_srli_epi32((int32_t)16, vec, __m256i); + libcrux_intrinsics_avx2_mm256_srli_epi32((int32_t)16, v, __m256i); __m256i result = libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); __m256i result0 = @@ -698,8 +693,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( collate them into two bytes. */ msbs); - uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; - memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); + uint8_t serialized[2U] = {0U}; + serialized[0U] = (uint8_t)bits_packed; + serialized[1U] = (uint8_t)(bits_packed >> 8U); + memcpy(ret, serialized, (size_t)2U * sizeof(uint8_t)); } /** @@ -712,82 +709,11 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09( libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( - int16_t a, int16_t b) { - __m256i coefficients = - libcrux_intrinsics_avx2_mm256_set_epi16(/* We need to take each bit from - the 2 bytes of input and put - them into their own 16-bit - lane. Ideally, we'd load the - two bytes into the vector, - duplicate them, and right-shift - the 0th element by 0 bits, the - first element by 1 bit, the - second by 2 bits and so on - before AND-ing with 0x1 to - leave only the least - signifinicant bit. But since - |_mm256_srlv_epi16| does not - exist, so we have to resort to - a workaround. Rather than - shifting each element by a - different amount, we'll - multiply each element by a - value such that the bit we're - interested in becomes the most - significant bit. The - coefficients are loaded as - follows: */ - b, b, b, b, b, b, b, b, a, a, a, - a, a, a, a, a); - __m256i coefficients_in_msb = - libcrux_intrinsics_avx2_mm256_mullo_epi16(/* And this vector, when - multiplied with the previous - one, ensures that the bit - we'd like to keep in each - lane becomes the most - significant bit upon - multiplication. */ - coefficients, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 8U, - (int16_t)1 << 9U, - (int16_t)1 << 10U, - (int16_t)1 << 11U, - (int16_t)1 << 12U, - (int16_t)1 << 13U, - (int16_t)1 << 14U, - (int16_t)-32768, - (int16_t)1 << 8U, - (int16_t)1 << 9U, - (int16_t)1 << 10U, - (int16_t)1 << 11U, - (int16_t)1 << 12U, - (int16_t)1 << 13U, - (int16_t)1 << 14U, - (int16_t)-32768)); - return libcrux_intrinsics_avx2_mm256_srli_epi16( - (int32_t)15, - /* Now that they're all in the most significant bit position, shift them - down to the least significant bit. */ - coefficients_in_msb, __m256i); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - uint8_t a, uint8_t b) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( - (int16_t)a, (int16_t)b); -} - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - Eurydice_slice_index( + __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)Eurydice_slice_index( bytes, /* We need to take each bit from the 2 bytes of input and put them into their own 16-bit lane. Ideally, we'd load the two bytes into @@ -798,13 +724,35 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { to a workaround. Rather than shifting each element by a different amount, we'll multiply each element by a value such that the bit we're interested in becomes the most significant bit. The - coefficients are loaded as follows: And this vector, when - multiplied with the previous one, ensures that the bit we'd like to - keep in each lane becomes the most significant bit upon - multiplication. Now that they're all in the most significant bit - position, shift them down to the least significant bit. */ - (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); + coefficients are loaded as follows: */ + (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i shift_lsb_to_msb = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768, + (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768); + __m256i coefficients_in_msb = + libcrux_intrinsics_avx2_mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + return libcrux_intrinsics_avx2_mm256_srli_epi16( + (int32_t)15, + /* Now that they're all in the most significant bit position, shift them + down to the least significant bit. */ + coefficients_in_msb, __m256i); } /** @@ -817,35 +765,32 @@ libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } -/** - `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets - of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of - 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last - `n` bits are non-zero). -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, - __m256i x) { - int16_t n0 = (int16_t)1 << (uint32_t)n; - return libcrux_intrinsics_avx2_mm256_madd_epi16( - x, libcrux_intrinsics_avx2_mm256_set_epi16( - n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, - (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1)); -} - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m256i vector, uint8_t ret[8U]) { uint8_t serialized[16U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n( - 4U, - /* If |vector| is laid out as follows: 0x000A 0x000B 0x000C 0x000D | - 0x000E 0x000F 0x000G 0x000H | .... |adjacent_2_combined| will be - laid out as a series of 32-bit integeres, as follows: 0x00_00_00_BA - 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... */ - vector); + libcrux_intrinsics_avx2_mm256_madd_epi16(/* If |vector| is laid out as + follows: 0x000A 0x000B 0x000C + 0x000D | 0x000E 0x000F 0x000G + 0x000H | .... + |adjacent_2_combined| will be + laid out as a series of 32-bit + integeres, as follows: + 0x00_00_00_BA 0x00_00_00_DC | + 0x00_00_00_FE 0x00_00_00_HG | + ... */ + vector, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, (int16_t)1, + (int16_t)1 << 4U, + (int16_t)1)); __m256i adjacent_8_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8(/* Recall that |adjacent_2_combined| goes @@ -925,44 +870,46 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( - int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, - int16_t b6, int16_t b7) { - __m256i coefficients = - libcrux_intrinsics_avx2_mm256_set_epi16(/* Every 4 bits from each byte of - input should be put into its - own 16-bit lane. Since - |_mm256_srlv_epi16| does not - exist, we have to resort to a - workaround. Rather than - shifting each element by a - different amount, we'll - multiply each element by a - value such that the bits we're - interested in become the most - significant bits (of an 8-bit - value). In this lane, the 4 - bits we need to put are already - the most significant bits of - |bytes[7]| (that is, b7). */ - b7, - /* In this lane, the 4 bits we - need to put are the least - significant bits, so we need to - shift the 4 least-significant - bits of |b7| to the most - significant bits (of an 8-bit - value). */ - b7, b6, b6, b5, b5, b4, b4, b3, - b3, b2, b2, b1, b1, b0, b0); +libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { + __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)Eurydice_slice_index( + bytes, + /* Every 4 bits from each byte of input should be put into its own + 16-bit lane. Since |_mm256_srlv_epi16| does not exist, we have to + resort to a workaround. Rather than shifting each element by a + different amount, we'll multiply each element by a value such that + the bits we're interested in become the most significant bits (of + an 8-bit value). In this lane, the 4 bits we need to put are + already the most significant bits of |bytes[7]|. */ + (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index( + bytes, + /* In this lane, the 4 bits we need to put are the least significant + bits, so we need to shift the 4 least-significant bits of + |bytes[7]| to the most significant bits (of an 8-bit value). */ + (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, /* and so on ... */ (size_t)6U, + uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); __m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U)); + coefficients, shift_lsbs_to_msbs); __m256i coefficients_in_lsb = libcrux_intrinsics_avx2_mm256_srli_epi16( (int32_t)4, /* Once the 4-bit coefficients are in the most significant positions (of @@ -974,46 +921,6 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( (int16_t)1)); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, - uint8_t b6, uint8_t b7) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( - (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4, - (int16_t)b5, (int16_t)b6, (int16_t)b7); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - Eurydice_slice_index( - bytes, - /* Every 4 bits from each byte of input should be put into its own - 16-bit lane. Since |_mm256_srlv_epi16| does not exist, we have to - resort to a workaround. Rather than shifting each element by a - different amount, we'll multiply each element by a value such that - the bits we're interested in become the most significant bits (of - an 8-bit value). In this lane, the 4 bits we need to put are - already the most significant bits of |bytes[7]| (that is, b7). In - this lane, the 4 bits we need to put are the least significant - bits, so we need to shift the 4 least-significant bits of |b7| to - the most significant bits (of an 8-bit value). These constants are - chosen to shift the bits of the values that we loaded into - |coefficients|. Once the 4-bit coefficients are in the most - significant positions (of an 8-bit value), shift them all down - by 4. Zero the remaining bits. */ - (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); -} - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -1151,24 +1058,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_09( libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } -/** - We cannot model `mm256_inserti128_si256` on its own: it produces a - Vec256 where the upper 128 bits are undefined. Thus - `mm256_inserti128_si256` is not pure. - - Luckily, we always call `mm256_castsi128_si256` right after - `mm256_inserti128_si256`: this composition sets the upper bits, - making the whole computation pure again. -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower, - __m128i upper) { - return libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, libcrux_intrinsics_avx2_mm256_castsi128_si256(lower), upper, - __m256i); -} - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { @@ -1190,10 +1079,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); __m256i coefficients_loaded = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - coefficients, coefficients); + libcrux_intrinsics_avx2_mm256_castsi128_si256(coefficients); + __m256i coefficients_loaded0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, coefficients_loaded, coefficients, __m256i); __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - coefficients_loaded, + coefficients_loaded0, libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10, @@ -1223,30 +1113,50 @@ libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } -typedef struct core_core_arch_x86___m128i_x2_s { - __m128i fst; - __m128i snd; -} core_core_arch_x86___m128i_x2; - KRML_ATTRIBUTE_TARGET("avx2") -static inline core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( - __m256i vector) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( + __m256i vector, uint8_t ret[20U]) { + uint8_t serialized[32U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n( - 10U, - /* If |vector| is laid out as follows (superscript number indicates - the corresponding bit is duplicated that many times): - 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ - 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ - 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ ... - |adjacent_2_combined| will be laid out as a series of 32-bit - integers, as follows: 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ .... */ - vector); + libcrux_intrinsics_avx2_mm256_madd_epi16(/* If |vector| is laid out as + follows (superscript number + indicates the corresponding + bit is duplicated that many + times): 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ + 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ + 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ + 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ + 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ + 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ + 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ + 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ ... + |adjacent_2_combined| will be + laid out as a series of 32-bit + integers, as follows: + 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ + 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ + | ↩ + 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ + 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ + | ↩ .... */ + vector, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1, + (int16_t)1 << 10U, + (int16_t)1)); __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(/* Shifting up the values at the even indices by 12, we get: @@ -1310,185 +1220,13 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( the lower 128-bit lane, ... */ adjacent_8_combined); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_8); __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, /* and 64 bits starting at position 0 in the upper 128-bit lane. */ adjacent_8_combined, __m128i); - return ( - CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { - core_core_arch_x86___m128i_x2 uu____0 = - libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(/* If - |vector| - is - laid - out - as - follows - (superscript - number - indicates - the - corresponding - bit - is - duplicated - that - many - times): - 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ - 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ - | ↩ - 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ - 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ - | ↩ - ... - |adjacent_2_combined| - will - be - laid - out - as a - series - of - 32-bit - integers, - as - follows: - 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - | ↩ - 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - | ↩ - .... - Shifting - up - the - values - at - the - even - indices - by - 12, - we - get: - b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ - | ↩ - f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ - | ↩ - ... - Viewing - this - as a - set - of - 64-bit - integers - we - get: - 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² - | ↩ - 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² - | ↩ - ... - Shifting - down - by - 12 - gives - us: - 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ - | ↩ - 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ - | ↩ - ... - |adjacent_4_combined|, - when - the - bottom - and - top - 128 - bit-lanes - are - grouped - into - bytes, - looks - like: - 0₇0₆0₅B₄B₃B₂B₁B₀ - | ↩ - 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ - | ↩ - In - each - 128-bit - lane, - we - want - to - put - bytes - 8, - 9, - 10, - 11, - 12 - after - bytes - 0, - 1, - 2, 3 - to - allow - for - sequential - reading. - We - now - have - 64 - bits - starting - at - position - 0 in - the - lower - 128-bit - lane, - ... - and - 64 - bits - starting - at - position - 0 in - the - upper - 128-bit - lane. - */ - vector); - __m128i lower_8 = uu____0.fst; - __m128i upper_8 = uu____0.snd; - uint8_t serialized[32U] = {0U}; - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - lower_8); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t), @@ -1515,48 +1253,35 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0) { - __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients0, +libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { + __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); + __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, 3U, 2U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8( - 15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U, - 9U, 8U, 8U, 7U, 7U, 6U)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( + 15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U, + 9U, 8U, 8U, 7U, 7U, 6U)); __m256i coefficients = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - lower_coefficients, upper_coefficients); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, - (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U, - (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U, - (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, - (int16_t)1 << 6U)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16( - (int32_t)6, coefficients0, __m256i); - return libcrux_intrinsics_avx2_mm256_and_si256(/* Here I can prove this `and` - is not useful */ - coefficients1, - libcrux_intrinsics_avx2_mm256_set1_epi16( - ((int16_t)1 << 10U) - - (int16_t)1)); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { - Eurydice_slice lower_coefficients = Eurydice_slice_subslice2( - /* Here I can prove this `and` is not useful */ bytes, (size_t)0U, - (size_t)16U, uint8_t); - Eurydice_slice upper_coefficients = - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), - libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); + libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, coefficients, upper_coefficients0, __m256i); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + coefficients0, shift_lsbs_to_msbs); + __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16( + (int32_t)6, coefficients1, __m256i); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16( + ((int16_t)1 << 10U) - (int16_t)1)); } /** @@ -1615,11 +1340,16 @@ libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m128i_x2 -libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - __m256i vector) { - __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( + __m256i vector, uint8_t ret[24U]) { + uint8_t serialized[32U] = {0U}; + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16( + vector, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, + (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1)); __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi32( (int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8, @@ -1639,19 +1369,6 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined); __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, __m128i); - return ( - CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { - uint8_t serialized[32U] = {0U}; - core_core_arch_x86___m128i_x2 uu____0 = - libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - vector); - __m128i lower_8 = uu____0.fst; - __m128i upper_8 = uu____0.snd; libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); @@ -1681,45 +1398,37 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - __m128i lower_coefficients0, __m128i upper_coefficients0) { - __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients0, +libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { + __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); + __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, 4U, 3U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients0, + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); __m256i coefficients = - libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( - lower_coefficients, upper_coefficients); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, - (int16_t)1 << 4U)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16( - (int32_t)4, coefficients0, __m256i); + libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, coefficients, upper_coefficients0, __m256i); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + coefficients0, shift_lsbs_to_msbs); + __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16( + (int32_t)4, coefficients1, __m256i); return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients1, libcrux_intrinsics_avx2_mm256_set1_epi16( + coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16( ((int16_t)1 << 12U) - (int16_t)1)); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { - __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - lower_coefficients, upper_coefficients); -} - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -1774,20 +1483,18 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, compare_with_field_modulus, good); uint8_t lower_shuffles[16U]; - memcpy( - lower_shuffles, - /* We need to provide a definition or post-condition for - Core.Num.impl__u8__count_ones Each bit (and its corresponding position) - represents an element we want to sample. We'd like all such elements to - be next to each other starting at index 0, so that they can be read - from the vector easily. |REJECTION_SAMPLE_SHUFFLE_TABLE| encodes the - byte-level shuffling indices needed to make this happen. For e.g. if - good[0] = 0b0_0_0_0_0_0_1_0, we need to move the element in the 2-nd - 16-bit lane to the first. To do this, we need the byte-level shuffle - indices to be 2 3 X X X X ... */ - libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( - size_t)good[0U]], - (size_t)16U * sizeof(uint8_t)); + memcpy(lower_shuffles, + /* Each bit (and its corresponding position) represents an element we + want to sample. We'd like all such elements to be next to each other + starting at index 0, so that they can be read from the vector + easily. |REJECTION_SAMPLE_SHUFFLE_TABLE| encodes the byte-level + shuffling indices needed to make this happen. For e.g. if good[0] = + 0b0_0_0_0_0_0_1_0, we need to move the element in the 2-nd 16-bit + lane to the first. To do this, we need the byte-level shuffle + indices to be 2 3 X X X X ... */ + libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( + size_t)good[0U]], + (size_t)16U * sizeof(uint8_t)); __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_array_to_slice( (size_t)16U, @@ -1833,17 +1540,17 @@ static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_09( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_ef_61(void) { +libcrux_ml_kem_polynomial_ZERO_d6_61(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09(); lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09(); @@ -1873,7 +1580,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_ab(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -1887,7 +1594,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -1910,7 +1617,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / @@ -1943,7 +1650,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_ed(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -2045,12 +1752,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_10_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); - LowStar_Ignore_ignore( - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)16U, re.coefficients, __m256i), - __m256i), - size_t, void *); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; @@ -2163,7 +1865,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_11_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; @@ -2235,13 +1937,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; - i0 < (size_t)128U >> - (uint32_t) /* The semicolon and parentheses at the end of loop are a - workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ - layer; - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; size_t offset = round * step * (size_t)2U; @@ -2252,7 +1948,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61( libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = libcrux_ml_kem_ntt_ntt_layer_int_vec_step_61( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; __m256i y = uu____0.snd; re->coefficients[j] = x; @@ -2276,7 +1972,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_61( zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); } } @@ -2294,8 +1990,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_61( size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( - re->coefficients[round], libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U)); + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } } @@ -2314,10 +2012,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_61( size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( - re->coefficients[round], libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)3U)); + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); zeta_i[0U] = zeta_i[0U] + (size_t)3U; } } @@ -2325,23 +2027,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_61( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_61( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -2363,18 +2063,15 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_ee( libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U, (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U, - (size_t)2U * (size_t)3328U); + (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U, - (size_t)3U * (size_t)3328U); + (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U, - (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U, - (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U, - (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U, - (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_61(re); + (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U, (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } /** @@ -2392,7 +2089,7 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len( @@ -2520,7 +2217,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_4_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; @@ -2633,7 +2330,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_5_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; @@ -2660,57 +2357,90 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_42( return libcrux_ml_kem_serialize_deserialize_then_decompress_4_61(serialized); } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_ef_61( +libcrux_ml_kem_polynomial_ntt_multiply_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - * error while extracting hax_debug_debug_assert!(lhs .coefficients - * .into_iter() .all(|coefficient| coefficient >= 0 && coefficient < 4096)); - */ + /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| + * coefficient >= 0 && coefficient < 4096)); */ libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09( &self->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)3U]); } return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { for (size_t i = (size_t)0U; @@ -2745,10 +2475,13 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_61( re->coefficients[round] = libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -2769,8 +2502,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_61( re->coefficients[round] = libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -2791,7 +2525,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_61( re->coefficients[round] = libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); } } @@ -2845,7 +2579,7 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61( libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_61( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; __m256i y = uu____0.snd; re->coefficients[j] = x; @@ -2879,31 +2613,27 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( (size_t)6U); libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_61(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_ef_61( +libcrux_ml_kem_polynomial_subtract_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( @@ -2915,6 +2645,12 @@ libcrux_ml_kem_polynomial_subtract_reduce_ef_61( return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2928,16 +2664,16 @@ libcrux_ml_kem_matrix_compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_61(&secret_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result, &product); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - result = libcrux_ml_kem_polynomial_subtract_reduce_ef_61(v, result); + result = libcrux_ml_kem_polynomial_subtract_reduce_d6_61(v, result); return result; } @@ -2983,14 +2719,14 @@ libcrux_ml_kem_vector_traits_to_unsigned_representative_61(__m256i a) { } /** -A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_serialize_to_unsigned_field_modulus_61(__m256i a) { +libcrux_ml_kem_serialize_to_unsigned_field_element_61(__m256i a) { return libcrux_ml_kem_vector_traits_to_unsigned_representative_61(a); } @@ -3007,7 +2743,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_61( uint8_t serialized[32U] = {0U}; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_61( + __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_element_61( re.coefficients[i0]); __m256i coefficient_compressed = libcrux_ml_kem_vector_avx2_compress_1_09(coefficient); @@ -3149,7 +2885,7 @@ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } uint8_t uu____1[32U] = {0U}; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; @@ -3157,18 +2893,24 @@ libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) { lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -3180,7 +2922,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -3197,11 +2939,12 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1152 - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { for (size_t i = (size_t)0U; @@ -3226,13 +2969,12 @@ typedef libcrux_sha3_avx2_x4_incremental_KeccakState /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_e0( uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState_55 state = libcrux_sha3_avx2_x4_incremental_init(); @@ -3250,30 +2992,29 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_a9_e0( uint8_t input[3U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[3U][34U]; memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); - return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( + return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_e0( copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const +generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; @@ -3303,16 +3044,16 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with -const generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const +generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_a9_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( - self, ret); + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_e0(self, + ret); } /** @@ -3402,13 +3143,12 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; @@ -3438,15 +3178,14 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const -generics +libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_e0( +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_a9_e0( libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0(self, ret); + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_e0(self, ret); } /** @@ -3537,19 +3276,19 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef +A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_ef_61(Eurydice_slice a) { +libcrux_ml_kem_polynomial_from_i16_array_d6_61(Eurydice_slice a) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -3569,7 +3308,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_sampling_sample_from_xof_closure_6c(int16_t s[272U]) { - return libcrux_ml_kem_polynomial_from_i16_array_ef_61( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -3589,10 +3328,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( uint8_t copy_of_seeds[3U][34U]; memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_e0( + libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_a9_e0( copy_of_seeds); uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_e0( + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_a9_e0( &xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[3U][504U]; @@ -3608,7 +3347,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( break; } else { uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_e0( + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_a9_e0( &xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[3U][168U]; @@ -3663,13 +3402,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_6c( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)3U, sampled, + (size_t)3U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), libcrux_ml_kem_polynomial_PolynomialRingElement_f6); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -3701,7 +3441,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_closure_b4(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -3755,6 +3495,55 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_a9_41( libcrux_ml_kem_hash_functions_avx2_PRFxN_41(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -3798,7 +3587,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_61( sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_ef_61( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3844,7 +3633,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_61( sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_ef_61( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3904,18 +3693,15 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_61( re); size_t zeta_i = (size_t)1U; libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U, - (size_t)11207U); + (size_t)3U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U, - (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_61( - &zeta_i, re, (size_t)3U, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_61( - &zeta_i, re, (size_t)2U, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_61( - &zeta_i, re, (size_t)1U, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_61(re); + (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U, + (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U, (size_t)3U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } /** @@ -3971,7 +3757,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_b4( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; @@ -4002,7 +3788,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_b4(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -4019,7 +3805,7 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - error_1[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; @@ -4096,30 +3882,28 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_matrix_compute_vector_u_closure_ab(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_61( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -4132,6 +3916,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_61( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4146,7 +3933,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - result[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + result[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( @@ -4167,12 +3954,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_61(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result[i1], + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(a_element, &r_as_ntt[j]); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result[i1], &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_ef_61(&result[i1], &error_1[i1]); + libcrux_ml_kem_polynomial_add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -4205,7 +3992,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_message_61( uint8_t serialized[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; __m256i coefficient_compressed = @@ -4221,26 +4008,22 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_61( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61( +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( @@ -4273,6 +4056,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4287,16 +4073,16 @@ libcrux_ml_kem_matrix_compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_61(&t_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result, &product); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - result = libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61( + result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_61( error_2, message, result); return result; } @@ -4418,7 +4204,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_0e( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_61( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_avx2_serialize_10_09(coefficient, bytes); @@ -4427,9 +4213,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_0e( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } - uint8_t result[320U]; - memcpy(result, serialized, (size_t)320U * sizeof(uint8_t)); - memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4549,7 +4333,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_0e( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_c4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_61( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_avx2_serialize_11_09(coefficient, bytes); @@ -4736,10 +4520,8 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_61( i++) { size_t i0 = i; __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_61( - re.coefficients[/* NOTE: Using `$serialized` in loop_invariant - doesn't work here */ - i0])); + libcrux_ml_kem_serialize_to_unsigned_field_element_61( + re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_avx2_serialize_4_09(coefficient, bytes); Eurydice_slice_copy( @@ -4870,7 +4652,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_61( i++) { size_t i0 = i; __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_09_f4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_61( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_avx2_serialize_5_09(coefficients, bytes); @@ -5003,7 +4785,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_74( uint8_t ret[1088U]) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(); - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1152U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -5114,7 +4896,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_41( @@ -5132,17 +4914,17 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), ciphertext, implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - libcrux_ml_kem_variant_kdf_d8_ae(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; + libcrux_ml_kem_variant_kdf_d8_ae(shared_secret0, ciphertext, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** @@ -5285,7 +5067,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( uint8_t ret[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -5300,7 +5082,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -5311,7 +5093,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; libcrux_ml_kem_variant_kdf_d8_ae(shared_secret, &ciphertext0, shared_secret_array); @@ -5419,9 +5201,9 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 libcrux_ml_kem_ind_cpa_unpacked_default_1a_ab(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 lit; - lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); - lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); return lit; } @@ -5468,25 +5250,23 @@ libcrux_ml_kem_vector_traits_to_standard_domain_61(__m256i v) { /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_61( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -5526,7 +5306,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_ZERO_ef_61(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -5539,12 +5319,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_61(matrix_element, + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&t_as_ntt[i0], + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&t_as_ntt[i0], &product); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_61( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_61( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -5622,7 +5402,7 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_61( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_61( + __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_element_61( re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_avx2_serialize_12_09(coefficient, bytes); @@ -5762,6 +5542,9 @@ libcrux_ml_kem_ind_cpa_generate_keypair_bb(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -5851,13 +5634,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d6(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } /** @@ -5943,7 +5726,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_ae( uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_e0( Eurydice_array_to_slice((size_t)1088U, - libcrux_ml_kem_types_as_slice_d4_80(ciphertext), + libcrux_ml_kem_types_as_slice_07_80(ciphertext), uint8_t), ret0); Eurydice_slice_copy( @@ -6019,7 +5802,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a10( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_41( @@ -6037,17 +5820,17 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a10( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), ciphertext, implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - libcrux_ml_kem_variant_kdf_33_ae(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; + libcrux_ml_kem_variant_kdf_33_ae(shared_secret0, ciphertext, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** @@ -6174,7 +5957,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700( uint8_t ret[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -6189,7 +5972,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -6200,7 +5983,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; libcrux_ml_kem_variant_kdf_33_ae(shared_secret, &ciphertext0, shared_secret_array); @@ -6461,13 +6244,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d60(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } /** @@ -6528,6 +6311,13 @@ libcrux_ml_kem_mlkem768_avx2_kyber_generate_key_pair(uint8_t randomness[64U]) { copy_of_randomness); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash @@ -6607,41 +6397,81 @@ static inline bool libcrux_ml_kem_mlkem768_avx2_validate_private_key( A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.closure with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_ab( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_b1( size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); +} + +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1184 +- K= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( + ring_element); + deserialized_pk[i0] = uu____0; + } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_b1( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1( public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; memcpy( - result, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - memcpy( - ret, result, + ret, deserialized_pk, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6654,7 +6484,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_ed( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_b1( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t), deserialized_pk); @@ -6768,7 +6598,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_41( @@ -6784,7 +6614,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( @@ -6929,7 +6759,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_shared_secret_array[32U]; memcpy(copy_of_shared_secret_array, shared_secret_array, @@ -7037,7 +6867,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_ab(size_t _j) { - return libcrux_ml_kem_polynomial_ZERO_ef_61(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -7050,24 +6880,24 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_ab( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - ret[i] = libcrux_ml_kem_polynomial_ZERO_ef_61(); + ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } } /** This function found in impl {(core::clone::Clone for libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2])} +TraitClause@2])#1} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.clone_8d +A monomorphic instance of libcrux_ml_kem.polynomial.clone_17 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_clone_8d_61( +libcrux_ml_kem_polynomial_clone_17_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i ret[16U]; @@ -7100,7 +6930,7 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab( for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_clone_8d_61(&ind_cpa_a[j][i0]); + libcrux_ml_kem_polynomial_clone_17_61(&ind_cpa_a[j][i0]); A[i0][j] = uu____0; } } @@ -7537,7 +7367,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d( *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( (size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t); - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98( uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( @@ -7557,7 +7387,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d( uint8_t uu____3[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), uu____3); memcpy(unpacked_public_key->public_key_hash, uu____3, diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h index fe16c7d0b..39353b1a5 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_types_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index a5cfe8f8d..84c23b668 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_H @@ -88,10 +88,6 @@ static const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = (int16_t)-108, (int16_t)-308, (int16_t)996, (int16_t)991, (int16_t)958, (int16_t)-1460, (int16_t)1522, (int16_t)1628}; -static KRML_MUSTINLINE int16_t libcrux_ml_kem_polynomial_get_zeta(size_t i) { - return libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[i]; -} - #define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) #define LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT \ @@ -226,34 +222,30 @@ libcrux_ml_kem_vector_portable_serialize_serialize_11( libcrux_ml_kem_vector_portable_serialize_serialize_11_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = r0_10.fst; - ret[1U] = r0_10.snd; - ret[2U] = r0_10.thd; - ret[3U] = r0_10.f3; - ret[4U] = r0_10.f4; - ret[5U] = r0_10.f5; - ret[6U] = r0_10.f6; - ret[7U] = r0_10.f7; - ret[8U] = r0_10.f8; - ret[9U] = r0_10.f9; - ret[10U] = r0_10.f10; - ret[11U] = r11_21.fst; - ret[12U] = r11_21.snd; - ret[13U] = r11_21.thd; - ret[14U] = r11_21.f3; - ret[15U] = r11_21.f4; - ret[16U] = r11_21.f5; - ret[17U] = r11_21.f6; - ret[18U] = r11_21.f7; - ret[19U] = r11_21.f8; - ret[20U] = r11_21.f9; - ret[21U] = r11_21.f10; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret); + uint8_t result[22U] = {0U}; + result[0U] = r0_10.fst; + result[1U] = r0_10.snd; + result[2U] = r0_10.thd; + result[3U] = r0_10.f3; + result[4U] = r0_10.f4; + result[5U] = r0_10.f5; + result[6U] = r0_10.f6; + result[7U] = r0_10.f7; + result[8U] = r0_10.f8; + result[9U] = r0_10.f9; + result[10U] = r0_10.f10; + result[11U] = r11_21.fst; + result[12U] = r11_21.snd; + result[13U] = r11_21.thd; + result[14U] = r11_21.f3; + result[15U] = r11_21.f4; + result[16U] = r11_21.f5; + result[17U] = r11_21.f6; + result[18U] = r11_21.f7; + result[19U] = r11_21.f8; + result[20U] = r11_21.f9; + result[21U] = r11_21.f10; + memcpy(ret, result, (size_t)22U * sizeof(uint8_t)); } /** @@ -263,7 +255,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_11_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[22U]) { - libcrux_ml_kem_vector_portable_serialize_11(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret); } typedef struct int16_t_x8_s { @@ -340,6 +332,28 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( .f7 = r7}); } +static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_zero(void) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; + lit.elements[0U] = (int16_t)0; + lit.elements[1U] = (int16_t)0; + lit.elements[2U] = (int16_t)0; + lit.elements[3U] = (int16_t)0; + lit.elements[4U] = (int16_t)0; + lit.elements[5U] = (int16_t)0; + lit.elements[6U] = (int16_t)0; + lit.elements[7U] = (int16_t)0; + lit.elements[8U] = (int16_t)0; + lit.elements[9U] = (int16_t)0; + lit.elements[10U] = (int16_t)0; + lit.elements[11U] = (int16_t)0; + lit.elements[12U] = (int16_t)0; + lit.elements[13U] = (int16_t)0; + lit.elements[14U] = (int16_t)0; + lit.elements[15U] = (int16_t)0; + return lit; +} + static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( @@ -347,29 +361,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -378,7 +388,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_11(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a); } static KRML_MUSTINLINE void @@ -913,28 +923,6 @@ static const uint8_t {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U}}; -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_zero(void) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = (int16_t)0; - lit.elements[1U] = (int16_t)0; - lit.elements[2U] = (int16_t)0; - lit.elements[3U] = (int16_t)0; - lit.elements[4U] = (int16_t)0; - lit.elements[5U] = (int16_t)0; - lit.elements[6U] = (int16_t)0; - lit.elements[7U] = (int16_t)0; - lit.elements[8U] = (int16_t)0; - lit.elements[9U] = (int16_t)0; - lit.elements[10U] = (int16_t)0; - lit.elements[11U] = (int16_t)0; - lit.elements[12U] = (int16_t)0; - lit.elements[13U] = (int16_t)0; - lit.elements[14U] = (int16_t)0; - lit.elements[15U] = (int16_t)0; - return lit; -} - /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector)} @@ -994,14 +982,14 @@ libcrux_ml_kem_vector_portable_sub_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] * c; + v.elements[uu____0] = v.elements[uu____0] * c; } - return vec; + return v; } /** @@ -1010,20 +998,20 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_multiply_by_constant_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { + return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c); } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] & c; + v.elements[uu____0] = v.elements[uu____0] & c; } - return vec; + return v; } /** @@ -1039,16 +1027,27 @@ libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { - size_t i0 = i; - if (vec.elements[i0] >= (int16_t)3329) { - size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329; + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){ + .start = (size_t)0U, + .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + Option_08 uu____0 = + core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08); + if (uu____0.tag == None) { + return v; + } else { + size_t i = uu____0.f0; + if (v.elements[i] >= (int16_t)3329) { + size_t uu____1 = i; + v.elements[uu____1] = v.elements[uu____1] - (int16_t)3329; + } } } - return vec; } /** @@ -1064,10 +1063,11 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ ((int32_t)20159) -#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT ((int32_t)26) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26) -#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R \ - ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \ + ((int32_t)1 << (uint32_t) \ + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) /** Signed Barrett Reduction @@ -1080,33 +1080,36 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) - Note: The input bound is 28296 to prevent overflow in the multiplication of - quotient by FIELD_MODULUS - + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. */ static inline int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value) { - int32_t t = (int32_t)value * - LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + - (LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R >> 1U); + int32_t t = + (int32_t) /* hax_debug_assert!( i32::from(value) > -BARRETT_R && + i32::from(value) < BARRETT_R, "value is {value}" ); */ + value + + * LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + + (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U); int16_t quotient = - (int16_t)(t >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT); + (int16_t)(t >> + (uint32_t) + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT); return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t vi = + v.elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - vec.elements[i0]); - vec.elements[i0] = vi; + v.elements[i0]); } - return vec; + return v; } /** @@ -1134,18 +1137,21 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) - the absolute value of `o` is bound as follows: - `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 - - In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= - FIELD_MODULUS + 1664 + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. */ static inline int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value) { int32_t k = - (int32_t)(int16_t)value * + (int32_t)(int16_t) /* hax_debug_assert!( value >= -FIELD_MODULUS * + MONTGOMERY_R && value <= FIELD_MODULUS * + MONTGOMERY_R, "value is {value}" ); */ + value + + * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; int32_t k_times_modulus = (int32_t)(int16_t)k * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; @@ -1174,22 +1180,21 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( static KRML_MUSTINLINE int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer) { - int32_t product = (int32_t)fe * (int32_t)fer; return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - product); + (int32_t)fe * (int32_t)fer); } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = + v.elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec.elements[i0], c); + v.elements[i0], c); } - return vec; + return v; } /** @@ -1256,15 +1261,15 @@ libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - a.elements[i0] = (int16_t) + v.elements[i0] = (int16_t) libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( - (uint16_t)a.elements[i0]); + (uint16_t)v.elements[i0]); } - return a; + return v; } /** @@ -1273,14 +1278,19 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_1_0d( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_1(v); } static KRML_MUSTINLINE uint32_t libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( uint8_t n, uint32_t value) { - return value & ((1U << (uint32_t)n) - 1U); + return + /* hax_debug_assert!(n == 4 || n == 5 || n == 10 || n == 11 || n == + MONTGOMERY_SHIFT); */ + value + + & ((1U << (uint32_t)n) - 1U); } static inline int16_t @@ -1305,38 +1315,36 @@ libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j) { int16_t t = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec->elements[j], zeta); - int16_t a_minus_t = vec->elements[i] - t; - int16_t a_plus_t = vec->elements[i] + t; - vec->elements[j] = a_minus_t; - vec->elements[i] = a_plus_t; + v->elements[j], zeta); + v->elements[j] = v->elements[i] - t; + v->elements[i] = v->elements[i] + t; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U, (size_t)15U); - return vec; + return v; } /** @@ -1353,25 +1361,25 @@ libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U, (size_t)15U); - return vec; + return v; } /** @@ -1387,25 +1395,22 @@ libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U, - (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U, - (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U); + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U); + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U, (size_t)15U); - return vec; + return v; } /** @@ -1419,40 +1424,38 @@ libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, - int16_t zeta, size_t i, size_t j) { - int16_t a_minus_b = vec->elements[j] - vec->elements[i]; - int16_t a_plus_b = vec->elements[j] + vec->elements[i]; - int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - a_plus_b); - int16_t o1 = + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta, + size_t i, size_t j) { + int16_t a_minus_b = v->elements[j] - v->elements[i]; + v->elements[i] = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v->elements[i] + v->elements[j]); + v->elements[j] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b, zeta); - vec->elements[i] = o0; - vec->elements[j] = o1; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)13U, (size_t)15U); - return vec; + return v; } /** @@ -1469,25 +1472,25 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, + int16_t zeta1) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)11U, (size_t)15U); - return vec; + return v; } /** @@ -1504,25 +1507,24 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, - int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)7U, (size_t)15U); - return vec; + return v; } /** @@ -1535,35 +1537,46 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, - size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { - int16_t ai = a->elements[(size_t)2U * i]; - int16_t bi = b->elements[(size_t)2U * i]; - int16_t aj = a->elements[(size_t)2U * i + (size_t)1U]; - int16_t bj = b->elements[(size_t)2U * i + (size_t)1U]; - int32_t ai_bi = (int32_t)ai * (int32_t)bi; - int32_t aj_bj_ = (int32_t)aj * (int32_t)bj; - int16_t aj_bj = - libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - aj_bj_); - int32_t aj_bj_zeta = (int32_t)aj_bj * (int32_t)zeta; - int32_t ai_bi_aj_bj = ai_bi + aj_bj_zeta; - int16_t o0 = - libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - ai_bi_aj_bj); - int32_t ai_bj = (int32_t)ai * (int32_t)bj; - int32_t aj_bi = (int32_t)aj * (int32_t)bi; - int32_t ai_bj_aj_bi = ai_bj + aj_bi; + size_t i, size_t j, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a->elements[i] * (int32_t)b->elements[i] + + (int32_t) + libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a->elements[j] * (int32_t)b->elements[j]) * + (int32_t)zeta); int16_t o1 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( - ai_bj_aj_bi); - int16_t _out0[16U]; - memcpy(_out0, out->elements, (size_t)16U * sizeof(int16_t)); - out->elements[(size_t)2U * i] = o0; - out->elements[(size_t)2U * i + (size_t)1U] = o1; + (int32_t)a->elements[i] * (int32_t)b->elements[j] + + (int32_t)a->elements[j] * (int32_t)b->elements[i]); + out->elements[i] = o0; + out->elements[j] = o1; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -1571,28 +1584,24 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - int16_t nzeta0 = -zeta0; - int16_t nzeta1 = -zeta1; - int16_t nzeta2 = -zeta2; - int16_t nzeta3 = -zeta3; libcrux_ml_kem_vector_portable_vector_type_PortableVector out = libcrux_ml_kem_vector_portable_vector_type_zero(); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta0, - (size_t)0U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta0, - (size_t)1U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta1, - (size_t)2U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta1, - (size_t)3U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta2, - (size_t)4U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta2, - (size_t)5U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta3, - (size_t)6U, &out); - libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta3, - (size_t)7U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( + lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out); return out; } @@ -1613,30 +1622,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[2U]) { - uint8_t result0 = (((((((uint32_t)(uint8_t)v.elements[0U] | - (uint32_t)(uint8_t)v.elements[1U] << 1U) | - (uint32_t)(uint8_t)v.elements[2U] << 2U) | - (uint32_t)(uint8_t)v.elements[3U] << 3U) | - (uint32_t)(uint8_t)v.elements[4U] << 4U) | - (uint32_t)(uint8_t)v.elements[5U] << 5U) | - (uint32_t)(uint8_t)v.elements[6U] << 6U) | - (uint32_t)(uint8_t)v.elements[7U] << 7U; - uint8_t result1 = (((((((uint32_t)(uint8_t)v.elements[8U] | - (uint32_t)(uint8_t)v.elements[9U] << 1U) | - (uint32_t)(uint8_t)v.elements[10U] << 2U) | - (uint32_t)(uint8_t)v.elements[11U] << 3U) | - (uint32_t)(uint8_t)v.elements[12U] << 4U) | - (uint32_t)(uint8_t)v.elements[13U] << 5U) | - (uint32_t)(uint8_t)v.elements[14U] << 6U) | - (uint32_t)(uint8_t)v.elements[15U] << 7U; - ret[0U] = result0; - ret[1U] = result1; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret); + uint8_t result[2U] = {0U}; + for (size_t i = (size_t)0U; i < (size_t)8U; i++) { + size_t i0 = i; + size_t uu____0 = (size_t)0U; + result[uu____0] = (uint32_t)result[uu____0] | + (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0; + } + for (size_t i = (size_t)8U; i < (size_t)16U; i++) { + size_t i0 = i; + size_t uu____1 = (size_t)1U; + result[uu____1] = + (uint32_t)result[uu____1] | (uint32_t)(uint8_t)v.elements[i0] + << (uint32_t)(i0 - (size_t)8U); + } + memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); } /** @@ -1646,96 +1646,29 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_1_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_1(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret); } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { - int16_t result0 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) & - 1U); - int16_t result1 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 1U & - 1U); - int16_t result2 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 2U & - 1U); - int16_t result3 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 3U & - 1U); - int16_t result4 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 4U & - 1U); - int16_t result5 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 5U & - 1U); - int16_t result6 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 6U & - 1U); - int16_t result7 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *) >> - 7U & - 1U); - int16_t result8 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) & - 1U); - int16_t result9 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 1U & - 1U); - int16_t result10 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 2U & - 1U); - int16_t result11 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 3U & - 1U); - int16_t result12 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 4U & - 1U); - int16_t result13 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 5U & - 1U); - int16_t result14 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 6U & - 1U); - int16_t result15 = (int16_t)((uint32_t)Eurydice_slice_index( - v, (size_t)1U, uint8_t, uint8_t *) >> - 7U & - 1U); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = result0; - lit.elements[1U] = result1; - lit.elements[2U] = result2; - lit.elements[3U] = result3; - lit.elements[4U] = result4; - lit.elements[5U] = result5; - lit.elements[6U] = result6; - lit.elements[7U] = result7; - lit.elements[8U] = result8; - lit.elements[9U] = result9; - lit.elements[10U] = result10; - lit.elements[11U] = result11; - lit.elements[12U] = result12; - lit.elements[13U] = result13; - lit.elements[14U] = result14; - lit.elements[15U] = result15; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_portable_vector_type_zero(); + for (size_t i = (size_t)0U; i < (size_t)8U; i++) { + size_t i0 = i; + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)0U, uint8_t, uint8_t *) >> + (uint32_t)i0 & + 1U); + } + for (size_t i = (size_t)8U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)1U, uint8_t, uint8_t *) >> + (uint32_t)(i0 - (size_t)8U) & + 1U); + } + return result; } /** @@ -1744,7 +1677,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_1(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a); } typedef struct uint8_t_x4_s { @@ -1792,20 +1725,16 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4( libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = result0_3.fst; - ret[1U] = result0_3.snd; - ret[2U] = result0_3.thd; - ret[3U] = result0_3.f3; - ret[4U] = result4_7.fst; - ret[5U] = result4_7.snd; - ret[6U] = result4_7.thd; - ret[7U] = result4_7.f3; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret); + uint8_t result[8U] = {0U}; + result[0U] = result0_3.fst; + result[1U] = result0_3.snd; + result[2U] = result0_3.thd; + result[3U] = result0_3.f3; + result[4U] = result4_7.fst; + result[5U] = result4_7.snd; + result[6U] = result4_7.thd; + result[7U] = result4_7.f3; + memcpy(ret, result, (size_t)8U * sizeof(uint8_t)); } /** @@ -1815,7 +1744,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_4_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_4(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret); } static KRML_MUSTINLINE int16_t_x8 @@ -1865,29 +1794,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -1896,7 +1821,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_4(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a); } typedef struct uint8_t_x5_s { @@ -1941,22 +1866,18 @@ libcrux_ml_kem_vector_portable_serialize_serialize_5( uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret); + uint8_t result[10U] = {0U}; + result[0U] = r0_4.fst; + result[1U] = r0_4.snd; + result[2U] = r0_4.thd; + result[3U] = r0_4.f3; + result[4U] = r0_4.f4; + result[5U] = r5_9.fst; + result[6U] = r5_9.snd; + result[7U] = r5_9.thd; + result[8U] = r5_9.f3; + result[9U] = r5_9.f4; + memcpy(ret, result, (size_t)10U * sizeof(uint8_t)); } /** @@ -1966,7 +1887,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_5_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[10U]) { - libcrux_ml_kem_vector_portable_serialize_5(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret); } static KRML_MUSTINLINE int16_t_x8 @@ -2027,29 +1948,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -2058,7 +1975,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_5(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a); } static KRML_MUSTINLINE uint8_t_x5 @@ -2111,32 +2028,33 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10( uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, int16_t)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; - ret[10U] = r10_14.fst; - ret[11U] = r10_14.snd; - ret[12U] = r10_14.thd; - ret[13U] = r10_14.f3; - ret[14U] = r10_14.f4; - ret[15U] = r15_19.fst; - ret[16U] = r15_19.snd; - ret[17U] = r15_19.thd; - ret[18U] = r15_19.f3; - ret[19U] = r15_19.f4; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret); + /* Here we could also do, the following, but it slows F* down: [r0_4.0, + * r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, + * r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, + * r15_19.2, r15_19.3, r15_19.4 ] If we can fix the F* for this, the code + * would be more compact. */ + uint8_t result[20U] = {0U}; + result[0U] = r0_4.fst; + result[1U] = r0_4.snd; + result[2U] = r0_4.thd; + result[3U] = r0_4.f3; + result[4U] = r0_4.f4; + result[5U] = r5_9.fst; + result[6U] = r5_9.snd; + result[7U] = r5_9.thd; + result[8U] = r5_9.f3; + result[9U] = r5_9.f4; + result[10U] = r10_14.fst; + result[11U] = r10_14.snd; + result[12U] = r10_14.thd; + result[13U] = r10_14.f3; + result[14U] = r10_14.f4; + result[15U] = r15_19.fst; + result[16U] = r15_19.snd; + result[17U] = r15_19.thd; + result[18U] = r15_19.f3; + result[19U] = r15_19.f4; + memcpy(ret, result, (size_t)20U * sizeof(uint8_t)); } /** @@ -2146,7 +2064,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_10_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_10(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret); } static KRML_MUSTINLINE int16_t_x8 @@ -2215,29 +2133,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_7.fst; - lit.elements[1U] = v0_7.snd; - lit.elements[2U] = v0_7.thd; - lit.elements[3U] = v0_7.f3; - lit.elements[4U] = v0_7.f4; - lit.elements[5U] = v0_7.f5; - lit.elements[6U] = v0_7.f6; - lit.elements[7U] = v0_7.f7; - lit.elements[8U] = v8_15.fst; - lit.elements[9U] = v8_15.snd; - lit.elements[10U] = v8_15.thd; - lit.elements[11U] = v8_15.f3; - lit.elements[12U] = v8_15.f4; - lit.elements[13U] = v8_15.f5; - lit.elements[14U] = v8_15.f6; - lit.elements[15U] = v8_15.f7; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); + v.elements[0U] = v0_7.fst; + v.elements[1U] = v0_7.snd; + v.elements[2U] = v0_7.thd; + v.elements[3U] = v0_7.f3; + v.elements[4U] = v0_7.f4; + v.elements[5U] = v0_7.f5; + v.elements[6U] = v0_7.f6; + v.elements[7U] = v0_7.f7; + v.elements[8U] = v8_15.fst; + v.elements[9U] = v8_15.snd; + v.elements[10U] = v8_15.thd; + v.elements[11U] = v8_15.f3; + v.elements[12U] = v8_15.f4; + v.elements[13U] = v8_15.f5; + v.elements[14U] = v8_15.f6; + v.elements[15U] = v8_15.f7; + return v; } /** @@ -2246,7 +2160,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_10(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a); } typedef struct uint8_t_x3_s { @@ -2295,36 +2209,32 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12( uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, int16_t)); - ret[0U] = r0_2.fst; - ret[1U] = r0_2.snd; - ret[2U] = r0_2.thd; - ret[3U] = r3_5.fst; - ret[4U] = r3_5.snd; - ret[5U] = r3_5.thd; - ret[6U] = r6_8.fst; - ret[7U] = r6_8.snd; - ret[8U] = r6_8.thd; - ret[9U] = r9_11.fst; - ret[10U] = r9_11.snd; - ret[11U] = r9_11.thd; - ret[12U] = r12_14.fst; - ret[13U] = r12_14.snd; - ret[14U] = r12_14.thd; - ret[15U] = r15_17.fst; - ret[16U] = r15_17.snd; - ret[17U] = r15_17.thd; - ret[18U] = r18_20.fst; - ret[19U] = r18_20.snd; - ret[20U] = r18_20.thd; - ret[21U] = r21_23.fst; - ret[22U] = r21_23.snd; - ret[23U] = r21_23.thd; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret); + uint8_t result[24U] = {0U}; + result[0U] = r0_2.fst; + result[1U] = r0_2.snd; + result[2U] = r0_2.thd; + result[3U] = r3_5.fst; + result[4U] = r3_5.snd; + result[5U] = r3_5.thd; + result[6U] = r6_8.fst; + result[7U] = r6_8.snd; + result[8U] = r6_8.thd; + result[9U] = r9_11.fst; + result[10U] = r9_11.snd; + result[11U] = r9_11.thd; + result[12U] = r12_14.fst; + result[13U] = r12_14.snd; + result[14U] = r12_14.thd; + result[15U] = r15_17.fst; + result[16U] = r15_17.snd; + result[17U] = r15_17.thd; + result[18U] = r18_20.fst; + result[19U] = r18_20.snd; + result[20U] = r18_20.thd; + result[21U] = r21_23.fst; + result[22U] = r21_23.snd; + result[23U] = r21_23.thd; + memcpy(ret, result, (size_t)24U * sizeof(uint8_t)); } /** @@ -2334,7 +2244,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} static inline void libcrux_ml_kem_vector_portable_serialize_12_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_12(a, ret); + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret); } typedef struct int16_t_x2_s { @@ -2377,29 +2287,25 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { int16_t_x2 v14_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - lit.elements[0U] = v0_1.fst; - lit.elements[1U] = v0_1.snd; - lit.elements[2U] = v2_3.fst; - lit.elements[3U] = v2_3.snd; - lit.elements[4U] = v4_5.fst; - lit.elements[5U] = v4_5.snd; - lit.elements[6U] = v6_7.fst; - lit.elements[7U] = v6_7.snd; - lit.elements[8U] = v8_9.fst; - lit.elements[9U] = v8_9.snd; - lit.elements[10U] = v10_11.fst; - lit.elements[11U] = v10_11.snd; - lit.elements[12U] = v12_13.fst; - lit.elements[13U] = v12_13.snd; - lit.elements[14U] = v14_15.fst; - lit.elements[15U] = v14_15.snd; - return lit; -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector re = + libcrux_ml_kem_vector_portable_vector_type_zero(); + re.elements[0U] = v0_1.fst; + re.elements[1U] = v0_1.snd; + re.elements[2U] = v2_3.fst; + re.elements[3U] = v2_3.snd; + re.elements[4U] = v4_5.fst; + re.elements[5U] = v4_5.snd; + re.elements[6U] = v6_7.fst; + re.elements[7U] = v6_7.snd; + re.elements[8U] = v8_9.fst; + re.elements[9U] = v8_9.snd; + re.elements[10U] = v10_11.fst; + re.elements[11U] = v10_11.snd; + re.elements[12U] = v12_13.fst; + re.elements[13U] = v12_13.snd; + re.elements[14U] = v14_15.fst; + re.elements[15U] = v14_15.snd; + return re; } /** @@ -2408,7 +2314,7 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector)} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_12(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a); } static KRML_MUSTINLINE size_t @@ -2547,16 +2453,16 @@ typedef libcrux_ml_kem_types_MlKemPublicKey_30 /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ZERO_ef_8c(void) { +libcrux_ml_kem_polynomial_ZERO_d6_8c(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d(); lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d(); @@ -2585,7 +2491,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_1b(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** @@ -2598,7 +2504,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -2622,7 +2528,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / @@ -2654,7 +2560,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_6c(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** @@ -2705,14 +2611,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_then_decompress_10_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); - LowStar_Ignore_ignore( - Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)16U, re.coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector), - libcrux_ml_kem_vector_portable_vector_type_PortableVector), - size_t, void *); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; @@ -2776,7 +2675,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_then_decompress_11_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; @@ -2853,13 +2752,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t layer, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; - i0 < (size_t)128U >> - (uint32_t) /* The semicolon and parentheses at the end of loop are a - workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ - layer; - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; size_t offset = round * step * (size_t)2U; @@ -2870,7 +2763,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = libcrux_ml_kem_ntt_ntt_layer_int_vec_step_8c( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; @@ -2894,7 +2787,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); re->coefficients[round] = uu____0; } } @@ -2914,8 +2807,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } } @@ -2935,10 +2829,13 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); zeta_i[0U] = zeta_i[0U] + (size_t)3U; } } @@ -2946,22 +2843,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_8c( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_8c( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -2984,18 +2879,15 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_0a( libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U, (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U, - (size_t)2U * (size_t)3328U); + (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U, - (size_t)3U * (size_t)3328U); + (size_t)3328U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U, - (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U, - (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U, - (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U, - (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_8c(re); + (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U, (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re); } /** @@ -3012,7 +2904,7 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len( @@ -3089,7 +2981,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_then_decompress_4_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; @@ -3153,7 +3045,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_then_decompress_5_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; @@ -3181,57 +3073,90 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_d0( return libcrux_ml_kem_serialize_deserialize_then_decompress_4_8c(serialized); } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef +A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ntt_multiply_ef_8c( +libcrux_ml_kem_polynomial_ntt_multiply_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - * error while extracting hax_debug_debug_assert!(lhs .coefficients - * .into_iter() .all(|coefficient| coefficient >= 0 && coefficient < 4096)); - */ + /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| + * coefficient >= 0 && coefficient < 4096)); */ libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_ntt_multiply_0d( &self->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + + (size_t)4U * i0 + + (size_t)3U]); out.coefficients[i0] = uu____0; } return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { for (size_t i = (size_t)0U; @@ -3268,10 +3193,13 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -3291,8 +3219,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_8c( re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -3312,7 +3241,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( re->coefficients[round], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); re->coefficients[round] = uu____0; } } @@ -3369,7 +3298,7 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_8c( re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_get_zeta(zeta_i[0U])); + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; @@ -3402,30 +3331,26 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b( (size_t)6U); libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_8c(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_subtract_reduce_ef_8c( +libcrux_ml_kem_polynomial_subtract_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_normal_form = @@ -3440,6 +3365,12 @@ libcrux_ml_kem_polynomial_subtract_reduce_ef_8c( return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3452,16 +3383,16 @@ libcrux_ml_kem_matrix_compute_message_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(&secret_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result, &product); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - result = libcrux_ml_kem_polynomial_subtract_reduce_ef_8c(v, result); + result = libcrux_ml_kem_polynomial_subtract_reduce_d6_8c(v, result); return result; } @@ -3472,13 +3403,13 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15; + v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15; } - return vec; + return v; } /** @@ -3514,13 +3445,13 @@ libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( } /** -A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_serialize_to_unsigned_field_modulus_8c( +libcrux_ml_kem_serialize_to_unsigned_field_element_8c( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector result = libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(a); @@ -3540,7 +3471,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_8c( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re.coefficients[i0]); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_compressed = @@ -3678,7 +3609,7 @@ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } uint8_t uu____1[32U] = {0U}; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit; @@ -3686,18 +3617,24 @@ libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(void) { lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -3708,7 +3645,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; @@ -3727,10 +3664,11 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c( A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1152 - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { for (size_t i = (size_t)0U; @@ -3761,12 +3699,11 @@ typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_88_s { /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_e0( uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { @@ -3794,28 +3731,28 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_e0( +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_e0( uint8_t input[3U][34U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_input[3U][34U]; memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); - return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( + return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_e0( copy_of_input); } /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const +generics - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_e0( libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; @@ -3834,16 +3771,16 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1 -with const generics +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with +const generics - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_e0( +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_e0( libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( - self, ret); + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_e0(self, + ret); } /** @@ -3932,12 +3869,12 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const generics - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0( +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_e0( libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; @@ -3956,16 +3893,15 @@ libcrux_ml_kem::hash_functions::portable::PortableHash)} */ /** A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const +libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const generics - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_e0( +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_e0( libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0(self, - ret); + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_e0(self, ret); } /** @@ -4055,18 +3991,18 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef +A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_from_i16_array_ef_8c(Eurydice_slice a) { +libcrux_ml_kem_polynomial_from_i16_array_d6_8c(Eurydice_slice a) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; @@ -4088,7 +4024,7 @@ generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_sampling_sample_from_xof_closure_2b(int16_t s[272U]) { - return libcrux_ml_kem_polynomial_from_i16_array_ef_8c( + return libcrux_ml_kem_polynomial_from_i16_array_d6_8c( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -4108,10 +4044,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( uint8_t copy_of_seeds[3U][34U]; memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state = - libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_e0( + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_e0( copy_of_seeds); uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_e0( + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_e0( &xof_state, randomness0); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness0[3U][504U]; @@ -4127,7 +4063,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( break; } else { uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_e0( + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_e0( &xof_state, randomness); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[3U][168U]; @@ -4182,13 +4118,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_2b( for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)3U, sampled, + (size_t)3U, + /* A[i][j] = A_transpose[j][i] */ sampled, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), libcrux_ml_kem_polynomial_PolynomialRingElement_1d); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; - if (/* A[i][j] = A_transpose[j][i] */ transpose) { + if (transpose) { A_transpose[j][i1] = sample; } else { A_transpose[i1][j] = sample; @@ -4220,7 +4157,7 @@ generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_closure_3b(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** @@ -4256,6 +4193,55 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRFxN_f1_41( libcrux_ml_kem_hash_functions_portable_PRFxN_41(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -4298,7 +4284,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_8c( sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_ef_8c( + return libcrux_ml_kem_polynomial_from_i16_array_d6_8c( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -4343,7 +4329,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_8c( sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_ef_8c( + return libcrux_ml_kem_polynomial_from_i16_array_d6_8c( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -4402,18 +4388,15 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_8c( re); size_t zeta_i = (size_t)1U; libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U, - (size_t)11207U); + (size_t)3U); libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U, - (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_8c( - &zeta_i, re, (size_t)3U, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_8c( - &zeta_i, re, (size_t)2U, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_8c( - &zeta_i, re, (size_t)1U, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_8c(re); + (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U, + (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U, (size_t)3U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re); } /** @@ -4469,7 +4452,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_3b( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt; uint8_t uu____1[33U]; @@ -4500,7 +4483,7 @@ generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_3b(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** @@ -4517,7 +4500,7 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - error_1[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; @@ -4591,29 +4574,27 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_matrix_compute_vector_u_closure_1b(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_8c( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -4629,6 +4610,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_8c( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4642,7 +4626,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - result[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + result[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( @@ -4663,12 +4647,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result[i1], + libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(a_element, &r_as_ntt[j]); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result[i1], &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_ef_8c(&result[i1], &error_1[i1]); + libcrux_ml_kem_polynomial_add_error_reduce_d6_8c(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -4704,7 +4688,7 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_serialize_deserialize_then_decompress_message_8c( uint8_t serialized[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4723,25 +4707,21 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_8c( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c( +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { for (size_t i = (size_t)0U; - i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting */ - LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; - i++) { + i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_normal_form = @@ -4779,6 +4759,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4792,16 +4775,16 @@ libcrux_ml_kem_matrix_compute_ring_element_v_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(&t_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result, &product); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - result = libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c( + result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_8c( error_2, message, result); return result; } @@ -4836,8 +4819,8 @@ with const generics */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_0d_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_ef(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_ef(v); } /** @@ -4855,7 +4838,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_ff( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); @@ -4864,9 +4847,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_ff( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } - uint8_t result[320U]; - memcpy(result, serialized, (size_t)320U * sizeof(uint8_t)); - memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4899,8 +4880,8 @@ with const generics */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_0d_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_c4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_c4(v); } /** @@ -4918,7 +4899,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_ff( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_c4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); @@ -5012,8 +4993,8 @@ with const generics */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_0d_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_d1(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_d1(v); } /** @@ -5035,10 +5016,8 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_8c( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_8c( - re.coefficients[/* NOTE: Using `$serialized` in loop_invariant - doesn't work here */ - i0])); + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( + re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); Eurydice_slice_copy( @@ -5078,8 +5057,8 @@ with const generics */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_0d_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_f4(a); + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_f4(v); } /** @@ -5101,7 +5080,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_8c( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = libcrux_ml_kem_vector_portable_compress_0d_f4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); @@ -5233,7 +5212,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_2a( uint8_t ret[1088U]) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(); - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3( Eurydice_slice_subslice_to(/* tˆ := Decode_12(pk) */ public_key, (size_t)1152U, uint8_t, size_t), unpacked_public_key.t_as_ntt); @@ -5342,7 +5321,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_41( @@ -5360,19 +5339,22 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), ciphertext, implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - libcrux_ml_kem_variant_kdf_d8_d6(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; + libcrux_ml_kem_variant_kdf_d8_d6(shared_secret0, ciphertext, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics @@ -5480,7 +5462,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( uint8_t ret[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -5495,7 +5477,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -5506,7 +5488,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; libcrux_ml_kem_variant_kdf_d8_d6(shared_secret, &ciphertext0, shared_secret_array); @@ -5532,7 +5514,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- C1_BLOCK_SIZE= 320 +- VECTOR_U_BLOCK_LEN= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -5581,9 +5563,9 @@ with const generics static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 libcrux_ml_kem_ind_cpa_unpacked_default_1a_1b(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 lit; - lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); - lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); + lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); return lit; } @@ -5629,24 +5611,22 @@ libcrux_ml_kem_vector_traits_to_standard_domain_8c( /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]#2} +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef +A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_8c( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < - /* Using `hax_lib::fstar::verification_status(lax)` works but produces an - error while extracting The semicolon and parentheses at the end of - loop are a workaround for the following bug - https://github.com/hacspec/hax/issues/720 */ + /* The semicolon and parentheses at the end of loop are a workaround for + the following bug https://github.com/hacspec/hax/issues/720 */ LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; @@ -5689,7 +5669,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_ZERO_ef_8c(); + libcrux_ml_kem_polynomial_ZERO_d6_8c(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -5702,12 +5682,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(matrix_element, + libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&t_as_ntt[i0], + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&t_as_ntt[i0], &product); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_8c( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_8c( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -5784,7 +5764,7 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_8c( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); @@ -5920,6 +5900,9 @@ libcrux_ml_kem_ind_cpa_generate_keypair_15(Eurydice_slice key_generation_seed) { return lit; } +/** + Serialize the secret key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] @@ -6007,15 +5990,18 @@ libcrux_ml_kem_ind_cca_generate_keypair_f8(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } +/** + Portable generate key pair. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const @@ -6024,7 +6010,7 @@ generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- RANKED_BYTES_PER_RING_ELEMENT= 1152 +- BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6071,7 +6057,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_d6( uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_e0( Eurydice_array_to_slice((size_t)1088U, - libcrux_ml_kem_types_as_slice_d4_80(ciphertext), + libcrux_ml_kem_types_as_slice_07_80(ciphertext), uint8_t), ret0); Eurydice_slice_copy( @@ -6146,7 +6132,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_620( Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_41( @@ -6164,17 +6150,17 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_620( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, uint8_t), ciphertext, implicit_rejection_shared_secret); - uint8_t shared_secret1[32U]; - libcrux_ml_kem_variant_kdf_33_d6(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; + libcrux_ml_kem_variant_kdf_33_d6(shared_secret0, ciphertext, shared_secret); + uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + ret0); + memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } /** @@ -6271,7 +6257,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0( uint8_t ret[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), ret); Eurydice_slice_copy( @@ -6286,7 +6272,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0( Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t); + (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); @@ -6297,7 +6283,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); uint8_t shared_secret_array[32U]; libcrux_ml_kem_variant_kdf_33_d6(shared_secret, &ciphertext0, shared_secret_array); @@ -6525,13 +6511,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f80(uint8_t randomness[64U]) { memcpy(copy_of_secret_key_serialized, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = - libcrux_ml_kem_types_from_7f_28(copy_of_secret_key_serialized); + libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types_from_3a_74( - uu____2, libcrux_ml_kem_types_from_5a_d0(copy_of_public_key)); + return libcrux_ml_kem_types_from_17_74( + uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key)); } /** @@ -6568,6 +6554,13 @@ libcrux_ml_kem_mlkem768_portable_kyber_generate_key_pair( copy_of_randomness); } +/** + Validate an ML-KEM private key. + + This implements the Hash check in 7.3 3. + Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` + and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] @@ -6628,39 +6621,78 @@ A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.closure with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_1b( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_c0( size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); +} + +/** +A monomorphic instance of +libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1184 +- K= 3 +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_c0( + Eurydice_slice public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(public_key, uint8_t) / + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; + i++) { + size_t i0 = i; + Eurydice_slice ring_element = Eurydice_slice_subslice2( + public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c( + ring_element); + deserialized_pk[i0] = uu____0; + } } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- PUBLIC_KEY_SIZE= 1184 - K= 3 */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_c0( Eurydice_slice public_key, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_c0( public_key, deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; - memcpy( - result, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy( - ret, result, + ret, deserialized_pk, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } +/** + Validate an ML-KEM public key. + + This implements the Modulus check in 7.2 2. + Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the + `public_key` type. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6672,7 +6704,7 @@ with const generics static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_6c( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_c0( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t), deserialized_pk); @@ -6768,7 +6800,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t); - Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_00_80(ciphertext), + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext), uint8_t); uint8_t implicit_rejection_shared_secret[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_41( @@ -6784,7 +6816,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_00_80(ciphertext), + libcrux_ml_kem_types_as_ref_fd_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( @@ -6898,7 +6930,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c( uint8_t copy_of_ciphertext[1088U]; memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_01_80(copy_of_ciphertext); + libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_shared_secret_array[32U]; memcpy(copy_of_shared_secret_array, shared_secret_array, @@ -6971,7 +7003,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_1b(size_t _j) { - return libcrux_ml_kem_polynomial_ZERO_ef_8c(); + return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** @@ -6983,23 +7015,23 @@ with const generics static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_1b( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - ret[i] = libcrux_ml_kem_polynomial_ZERO_ef_8c(); + ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); } } /** This function found in impl {(core::clone::Clone for libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2])} +TraitClause@2])#1} */ /** -A monomorphic instance of libcrux_ml_kem.polynomial.clone_8d +A monomorphic instance of libcrux_ml_kem.polynomial.clone_17 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_clone_8d_8c( +libcrux_ml_kem_polynomial_clone_17_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U]; @@ -7034,7 +7066,7 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_clone_8d_8c(&ind_cpa_a[j][i0]); + libcrux_ml_kem_polynomial_clone_17_8c(&ind_cpa_a[j][i0]); A[i0][j] = uu____0; } } @@ -7433,7 +7465,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_f9( *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( (size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t); - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3( uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( @@ -7453,7 +7485,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_f9( uint8_t uu____3[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_e0( Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_fd_d0(public_key), + libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t), uu____3); memcpy(unpacked_public_key->public_key_hash, uu____3, diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h index 3133e6233..295930891 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_types_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index cf22f9844..06d007894 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_avx2_H @@ -2405,29 +2405,41 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_3a( } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block with types core_core_arch_x86___m256i with const generics - N= 4 - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + libcrux_sha3_generic_keccak_keccakf1600_a6(s); libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out); } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block + Squeeze another block +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block with types core_core_arch_x86___m256i with const generics - N= 4 - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { - libcrux_sha3_generic_keccak_keccakf1600_a6(s); libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out); } @@ -2471,18 +2483,6 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(s, buf); } -/** - Squeeze another block -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, - Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { - Eurydice_slice buf[4U] = {out0, out1, out2, out3}; - libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf); -} - /** A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks with types core_core_arch_x86___m256i diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index 0b6f7b530..85b7f55e1 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 7ed909f8033142d720fcbfe309243b9fa52d181d + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_portable_H @@ -2296,27 +2296,37 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a( } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block with types uint64_t with const generics - N= 1 - RATE= 168 */ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); } /** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block + Squeeze another block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { + Eurydice_slice buf[1U] = {out0}; + libcrux_sha3_generic_keccak_squeeze_next_block_c61(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block with types uint64_t with const generics - N= 1 - RATE= 168 */ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61( +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { - libcrux_sha3_generic_keccak_keccakf1600_04(s); libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); } @@ -2357,16 +2367,6 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf); } -/** - Squeeze another block -*/ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { - Eurydice_slice buf[1U] = {out0}; - libcrux_sha3_generic_keccak_squeeze_next_block_c61(s, buf); -} - #define libcrux_sha3_Sha224 0 #define libcrux_sha3_Sha256 1 #define libcrux_sha3_Sha384 2 diff --git a/libcrux-ml-kem/fuzz/.gitignore b/libcrux-ml-kem/fuzz/.gitignore new file mode 100644 index 000000000..1a45eee77 --- /dev/null +++ b/libcrux-ml-kem/fuzz/.gitignore @@ -0,0 +1,4 @@ +target +corpus +artifacts +coverage diff --git a/libcrux-ml-kem/fuzz/Cargo.toml b/libcrux-ml-kem/fuzz/Cargo.toml new file mode 100644 index 000000000..ccb5bed0d --- /dev/null +++ b/libcrux-ml-kem/fuzz/Cargo.toml @@ -0,0 +1,35 @@ +[package] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +publish = false +edition = "2021" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.4" + +[dependencies.libcrux-ml-kem] +path = ".." + +[[bin]] +name = "keygen" +path = "fuzz_targets/keygen.rs" +test = false +doc = false +bench = false + +[[bin]] +name = "encaps" +path = "fuzz_targets/encaps.rs" +test = false +doc = false +bench = false + +[[bin]] +name = "decaps" +path = "fuzz_targets/decaps.rs" +test = false +doc = false +bench = false diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs new file mode 100644 index 000000000..f2aaa8a28 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs @@ -0,0 +1,25 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let (ct, _ss) = mlkem768::encapsulate(key_pair.public_key(), randomness); + + let _ = core::hint::black_box(mlkem768::decapsulate(key_pair.private_key(), &ct)); +}); diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs new file mode 100644 index 000000000..84342631c --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs @@ -0,0 +1,23 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let _ = core::hint::black_box(mlkem768::encapsulate(key_pair.public_key(), randomness)); +}); diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs new file mode 100644 index 000000000..5af308d21 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs @@ -0,0 +1,14 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE { + // We need enough entropy. + return; + } + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + let _ = core::hint::black_box(mlkem768::generate_key_pair(randomness)); +}); diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index d5f025639..b95b864ab 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -40,8 +40,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -66,8 +64,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -98,12 +94,9 @@ def __call__(self, parser, args, values, option_string=None) -> None: "simd128,simd256,pre-verification", ";", "into", - "-vv", "-i", include_str, "fstar", - "--z3rlimit", - "100", "--interfaces", interface_include, ] diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 1bff53934..018593ecd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -1,46 +1,15 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inz (value: u8) = - let v__orig_value:u8 = value in let value:u16 = cast (value <: u8) <: u16 in - let result:u8 = - cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8 + let result:u16 = + ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. + 1us in - let res:u8 = result &. 1uy in - let _:Prims.unit = - if v v__orig_value = 0 - then - (assert (value == zero); - lognot_lemma value; - assert ((~.value +. 1us) == zero); - assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero); - logor_lemma value zero; - assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) == - value); - assert (v result == v ((value >>! 8l))); - assert ((v value / pow2 8) == 0); - assert (result == 0uy); - logand_lemma 1uy result; - assert (res == 0uy)) - else - (assert (v value <> 0); - lognot_lemma value; - assert (v (~.value) = pow2 16 - 1 - v value); - assert (v (~.value) + 1 = pow2 16 - v value); - assert (v (value) <= pow2 8 - 1); - assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value)); - assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value)); - assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) = - pow2 8 - 1); - assert (result = ones); - logand_lemma 1uy result; - assert (res = 1uy)) - in - res + cast (result <: u16) <: u8 let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) @@ -49,143 +18,43 @@ let compare (lhs rhs: t_Slice u8) = let r:u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #u8 lhs <: usize) - (fun r i -> + (fun r temp_1_ -> let r:u8 = r in - let i:usize = i in - v i <= Seq.length lhs /\ - (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy))) + let _:usize = temp_1_ in + true) r (fun r i -> let r:u8 = r in let i:usize = i in - let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in - let _:Prims.unit = - if r =. 0uy - then - (if (Seq.index lhs (v i) = Seq.index rhs (v i)) - then - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (nr = r); - assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j); - assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j); - eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1))) - else - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr > 0); - assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <> - Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i)); - assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1)))) - else - (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr >= v r); - assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i)); - if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1)) - then - (assert (forall j. - j < (v i) + 1 ==> - Seq.index (Seq.slice lhs 0 ((v i) + 1)) j == - Seq.index (Seq.slice rhs 0 ((v i) + 1)) j); - eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i)); - assert (False))) - in - let r:u8 = nr in - r) + r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) in is_non_zero r let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = Core.Hint.black_box #u8 (compare lhs rhs <: u8) -#push-options "--ifuel 0 --z3rlimit 50" - let select_ct (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in - let _:Prims.unit = - assert (if selector = 0uy then mask = ones else mask = zero); - lognot_lemma mask; - assert (if selector = 0uy then ~.mask = zero else ~.mask = ones) - in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - (fun out i -> + (fun out temp_1_ -> let out:t_Array u8 (sz 32) = out in - let i:usize = i in - v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\ - (forall j. - j < v i ==> - (if (selector =. 0uy) - then Seq.index out j == Seq.index lhs j - else Seq.index out j == Seq.index rhs j)) /\ - (forall j. j >= v i ==> Seq.index out j == 0uy)) + let _:usize = temp_1_ in + true) out (fun out i -> let out:t_Array u8 (sz 32) = out in let i:usize = i in - let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in - let outi:u8 = - ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - in - let _:Prims.unit = - if (selector = 0uy) - then - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8)); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero); - logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8) - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) == - (lhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (lhs.[ i ] <: u8)); - assert (outi = (lhs.[ i ] <: u8))) - else - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8)); - logor_lemma (rhs.[ i ] <: u8) zero; - assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8)); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) == - (rhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (rhs.[ i ] <: u8)); - assert (outi = (rhs.[ i ] <: u8))) - in - let out:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi - in - out) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) + <: + t_Array u8 (sz 32)) in - let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in out -#pop-options - let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index dc6fd2b46..0d28bb910 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -1,42 +1,24 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val inz (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val is_non_zero (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. @@ -45,20 +27,14 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) @@ -66,8 +42,4 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - let selector = if lhs_c =. rhs_c then 0uy else 1uy in - ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s))) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 812c7717d..76d143aad 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Constants -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index fc7ae6c87..b09ff4dcd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd256Hash:Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,35 +64,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd256Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 8232d0b3d..11183ad88 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd128Hash:Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,35 +64,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd128Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index 33e10a142..74f6b0533 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_PortableHash (v_K: usize) : Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,43 +64,43 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_PortableHash v_K) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_block_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti index f734de676..e8a479263 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,19 +10,16 @@ open FStar.Mul /// - NEON /// - Portable class t_Hash (v_Self: Type0) (v_K: usize) = { - f_G_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_G_post:input: t_Slice u8 -> result: t_Array u8 (sz 64) - -> pred: Type0{pred ==> result == Spec.Utils.v_G input}; + f_G_pre:t_Slice u8 -> Type0; + f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> Type0; f_G:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) (f_G_pre x0) (fun result -> f_G_post x0 result); - f_H_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_H_post:input: t_Slice u8 -> result: t_Array u8 (sz 32) - -> pred: Type0{pred ==> result == Spec.Utils.v_H input}; + f_H_pre:t_Slice u8 -> Type0; + f_H_post:t_Slice u8 -> t_Array u8 (sz 32) -> Type0; f_H:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 32)) (f_H_pre x0) (fun result -> f_H_post x0 result); - f_PRF_pre:v_LEN: usize -> input: t_Slice u8 -> pred: Type0{v v_LEN < pow2 32 ==> pred}; - f_PRF_post:v_LEN: usize -> input: t_Slice u8 -> result: t_Array u8 v_LEN - -> pred: Type0{pred ==> v v_LEN < pow2 32 ==> result == Spec.Utils.v_PRF v_LEN input}; + f_PRF_pre:v_LEN: usize -> t_Slice u8 -> Type0; + f_PRF_post:v_LEN: usize -> t_Slice u8 -> t_Array u8 v_LEN -> Type0; f_PRF:v_LEN: usize -> x0: t_Slice u8 -> Prims.Pure (t_Array u8 v_LEN) (f_PRF_pre v_LEN x0) (fun result -> f_PRF_post v_LEN x0 result); f_PRFxN_pre:v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K @@ -40,26 +37,25 @@ class t_Hash (v_Self: Type0) (v_K: usize) = { -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) (f_PRFxN_pre v_LEN x0) (fun result -> f_PRFxN_post v_LEN x0 result); - f_shake128_init_absorb_final_pre:input: t_Array (t_Array u8 (sz 34)) v_K - -> pred: Type0{true ==> pred}; - f_shake128_init_absorb_final_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; - f_shake128_init_absorb_final:x0: t_Array (t_Array u8 (sz 34)) v_K + f_shake128_init_absorb_pre:t_Array (t_Array u8 (sz 34)) v_K -> Type0; + f_shake128_init_absorb_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; + f_shake128_init_absorb:x0: t_Array (t_Array u8 (sz 34)) v_K -> Prims.Pure v_Self - (f_shake128_init_absorb_final_pre x0) - (fun result -> f_shake128_init_absorb_final_post x0 result); - f_shake128_squeeze_first_three_blocks_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_first_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) + (f_shake128_init_absorb_pre x0) + (fun result -> f_shake128_init_absorb_post x0 result); + f_shake128_squeeze_three_blocks_pre:v_Self -> Type0; + f_shake128_squeeze_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) -> Type0; - f_shake128_squeeze_first_three_blocks:x0: v_Self + f_shake128_squeeze_three_blocks:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 504)) v_K) - (f_shake128_squeeze_first_three_blocks_pre x0) - (fun result -> f_shake128_squeeze_first_three_blocks_post x0 result); - f_shake128_squeeze_next_block_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_next_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; - f_shake128_squeeze_next_block:x0: v_Self + (f_shake128_squeeze_three_blocks_pre x0) + (fun result -> f_shake128_squeeze_three_blocks_post x0 result); + f_shake128_squeeze_block_pre:v_Self -> Type0; + f_shake128_squeeze_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; + f_shake128_squeeze_block:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 168)) v_K) - (f_shake128_squeeze_next_block_pre x0) - (fun result -> f_shake128_squeeze_next_block_post x0 result) + (f_shake128_squeeze_block_pre x0) + (fun result -> f_shake128_squeeze_block_post x0 result) } /// The SHA3 block size. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst new file mode 100644 index 000000000..4ae062555 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst @@ -0,0 +1,169 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +let decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + key_pair ciphertext + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext + +let encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness + +let generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Variant.t_MlKem randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + generate_keypair_avx2 v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness + out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out + +let unpack_public_key_avx2 + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + unpack_public_key_avx2 v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti new file mode 100644 index 000000000..eeb705954 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti @@ -0,0 +1,101 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +val decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key_avx2 + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index c9a34f640..97bf551a2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 39fede866..62e566a3c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst new file mode 100644 index 000000000..1c5cfc0fe --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst @@ -0,0 +1,93 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness + out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + out + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti new file mode 100644 index 000000000..9d2131a1c --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index dca261dd4..a269333d7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -40,25 +40,25 @@ let decapsulate ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index e244a6ece..5f7d577a0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,55 +30,24 @@ val decapsulate usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable public key validation diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst new file mode 100644 index 000000000..df28e3a00 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst @@ -0,0 +1,93 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem + randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti new file mode 100644 index 000000000..e8eab1c4d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Variant in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 333f8fbbd..317195665 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -25,6 +25,16 @@ let validate_private_key private_key ciphertext +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -40,35 +50,25 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index b62f5b8f2..04583da6a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -24,70 +24,39 @@ val validate_private_key v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2fbb2ea3d..f945524c6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -52,7 +52,7 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) @@ -61,23 +61,23 @@ let encapsulate then Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = @@ -87,7 +87,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -98,7 +98,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -107,7 +107,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index 4e231ea63..8323134a3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,73 +7,33 @@ val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 90b5d0f43..227944b6d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -63,7 +63,7 @@ let transpose_a v_K (fun v__j -> let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -169,7 +169,8 @@ let unpack_public_key unpacked_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.Libcrux_ml_kem.Types.f_value.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE @@ -257,7 +258,7 @@ let unpack_public_key Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) } <: t_MlKemPublicKeyUnpacked v_K v_Vector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index 6bccf5010..148d38dda 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 84a0cd81c..14c3eddd9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -44,8 +44,6 @@ let validate_private_key in t =. expected -#push-options "--z3rlimit 150" - let serialize_kem_secret_key (v_K v_SERIALIZED_KEY_LEN: usize) (#v_Hasher: Type0) @@ -156,44 +154,8 @@ let serialize_kem_secret_key <: t_Slice u8) in - let _:Prims.unit = - let open Spec.Utils in - assert ((Seq.slice out 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K))) - `Seq.equal` - private_key); - assert ((Seq.slice out - (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K))) - `Seq.equal` - public_key); - assert ((Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))) - `Seq.equal` - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key)); - assert (Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +! - Spec.MLKEM.v_SHARED_SECRET_SIZE)) == - implicit_rejection_value); - lemma_slice_append_4 out - private_key - public_key - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key) - implicit_rejection_value - in out -#pop-options - #push-options "--z3rlimit 150" let encapsulate @@ -220,7 +182,6 @@ let encapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } @@ -235,17 +196,12 @@ let encapsulate (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) <: t_Slice u8) <: t_Slice u8) in - let _:Prims.unit = - assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); - lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); - assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) - in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -261,7 +217,7 @@ let encapsulate Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness pseudorandomness in let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = @@ -294,7 +250,8 @@ let validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_PUBLIC_KEY_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: @@ -365,7 +322,7 @@ let generate_keypair #FStar.Tactics.Typeclasses.solve secret_key_serialized in - Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE + Libcrux_ml_kem.Types.impl__from v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE private_key (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -391,10 +348,6 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - let _:Prims.unit = - assert (v v_CIPHERTEXT_SIZE == - v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - in let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8) @@ -406,20 +359,6 @@ let decapsulate let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in - let _:Prims.unit = - assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE); - assert (ind_cpa_public_key == - slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - ); - assert (ind_cpa_public_key_hash == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert (implicit_rejection_value == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length private_key.f_value)) - in let decrypted:t_Array u8 (sz 32) = Libcrux_ml_kem.Ind_cpa.decrypt v_K v_CIPHERTEXT_SIZE @@ -433,7 +372,6 @@ let decapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -449,11 +387,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; - assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value); - assert (to_hash == concat decrypted ind_cpa_public_key_hash) - in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -465,21 +398,11 @@ let decapsulate (hashed <: t_Slice u8) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE in - let _:Prims.unit = - assert ((shared_secret, pseudorandomness) == - split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE); - assert (length implicit_rejection_value = - v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE); - assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - in let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE implicit_rejection_value in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -500,12 +423,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) to_hash); - lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value - in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher #v_K @@ -513,10 +430,6 @@ let decapsulate (sz 32) (to_hash <: t_Slice u8) in - let _:Prims.unit = - assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash); - assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE) - in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index cc03d69ee..6c03c2e17 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,11 +30,7 @@ val validate_private_key {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Serialize the secret key. val serialize_kem_secret_key @@ -42,19 +38,7 @@ val serialize_kem_secret_key (#v_Hasher: Type0) {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key public_key implicit_rejection_value: t_Slice u8) - : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in - result == - Seq.append private_key - (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) - )) + : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -95,12 +79,7 @@ val validate_public_key (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Packed API /// Generate a key pair. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index b7e0c4efc..be39c3deb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -40,7 +40,7 @@ let impl { f_secret_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K @@ -66,14 +66,14 @@ let impl_1 { f_t_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32); f_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 29146d11c..8efd719f7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -28,7 +28,7 @@ let deserialize_secret_key v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -80,6 +80,92 @@ let deserialize_secret_key #pop-options +#push-options "--ext context_pruning" + +let deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! + Rust_primitives.mk_usize 8) == + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! + v_U_COMPRESSION_FACTOR + <: + usize) /! + sz 8 + <: + usize) + (ciphertext <: t_Slice u8) + (fun u_as_ntt i -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i:usize = i in + forall (j: nat). + j < v i ==> + j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= + v v_CIPHERTEXT_SIZE /\ + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == + Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) + (Seq.slice ciphertext + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) + )) + u_as_ntt + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i, u_bytes:(usize & t_Slice u8) = temp_1_ in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + #v_Vector + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + #v_Vector + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + u_as_ntt) + in + let _:Prims.unit = + Lib.Sequence.eq_intro #Spec.MLKEM.polynomial + #(v v_K) + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) + (let open Spec.MLKEM in + vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) + in + u_as_ntt + +#pop-options + #push-options "--max_fuel 10 --z3rlimit 1000 --ext context_pruning --z3refresh --split_queries always" let sample_ring_element_cbd @@ -99,7 +185,7 @@ let sample_ring_element_cbd v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -362,7 +448,7 @@ let sample_vector_cbd_then_ntt_out v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -526,6 +612,65 @@ let generate_keypair_unpacked #pop-options +let decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext + in + let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR + #v_Vector + (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Matrix.compute_message v_K + #v_Vector + v + secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + u_as_ntt + in + Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message + +let decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_secret_key v_K #v_Vector secret_key + in + let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + in + decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_VECTOR_U_ENCODED_SIZE + v_U_COMPRESSION_FACTOR + v_V_COMPRESSION_FACTOR + #v_Vector + secret_key_unpacked + ciphertext + #push-options "--z3rlimit 200 --ext context_pruning --z3refresh" let compress_then_serialize_u @@ -782,7 +927,8 @@ let encrypt unpacked_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } <: @@ -824,151 +970,6 @@ let encrypt v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness -#push-options "--ext context_pruning" - -let deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! - Rust_primitives.mk_usize 8) == - v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! - v_U_COMPRESSION_FACTOR - <: - usize) /! - sz 8 - <: - usize) - (ciphertext <: t_Slice u8) - (fun u_as_ntt i -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i:usize = i in - forall (j: nat). - j < v i ==> - j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= - v v_CIPHERTEXT_SIZE /\ - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == - Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) - (Seq.slice ciphertext - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) - )) - u_as_ntt - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - #v_Vector - u_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR - #v_Vector - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - u_as_ntt) - in - let _:Prims.unit = - Lib.Sequence.eq_intro #Spec.MLKEM.polynomial - #(v v_K) - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) - (let open Spec.MLKEM in - vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) - in - u_as_ntt - -#pop-options - -let decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext - in - let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR - #v_Vector - (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - in - let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Matrix.compute_message v_K - #v_Vector - v - secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - u_as_ntt - in - Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message - -let decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_secret_key v_K #v_Vector secret_key - in - let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_VECTOR_U_ENCODED_SIZE - v_U_COMPRESSION_FACTOR - v_V_COMPRESSION_FACTOR - #v_Vector - secret_key_unpacked - ciphertext - #push-options "--z3rlimit 200 --ext context_pruning --z3refresh" let serialize_secret_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index 32c317b57..2881c5435 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,6 +30,24 @@ val deserialize_secret_key Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == Spec.MLKEM.vector_decode_12 #v_K secret_key) +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) + (ensures + fun res -> + let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == + Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) + /// Sample a vector of ring elements from a centered binomial distribution. val sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) @@ -188,6 +206,64 @@ val generate_keypair_unpacked .f_t_as_ntt i))) +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// Algorithm 14 is reproduced below: +/// ```plaintext +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m +/// ``` +/// The NIST FIPS 203 standard can be found at +/// . +val decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + result == + Spec.MLKEM.ind_cpa_decrypt_unpacked v_K + ciphertext + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt)) + +val decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) + /// Call [`compress_then_serialize_ring_element_u`] on each ring element. val compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -304,82 +380,6 @@ val encrypt let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in valid ==> result == expected) -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) - -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. -/// Algorithm 14 is reproduced below: -/// ```plaintext -/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. -/// Output: message m ∈ 𝔹^{32}. -/// c₁ ← c[0 : 32dᵤk] -/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] -/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) -/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) -/// ŝ ← ByteDecode₁₂(dkₚₖₑ) -/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) -/// m ← ByteEncode₁(Compress₁(w)) -/// return m -/// ``` -/// The NIST FIPS 203 standard can be found at -/// . -val decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == - Spec.MLKEM.ind_cpa_decrypt_unpacked v_K - ciphertext - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt)) - -val decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) - /// Call [`serialize_uncompressed_ring_element`] for each ring element. val serialize_secret_key (v_K v_OUT_LEN: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index 7293e04c6..c8c456676 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -38,27 +38,15 @@ let invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -66,11 +54,6 @@ let invert_ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -82,10 +65,19 @@ let invert_ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -93,15 +85,6 @@ let invert_ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -116,26 +99,15 @@ let invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -143,11 +115,6 @@ let invert_ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -159,8 +126,11 @@ let invert_ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -168,15 +138,6 @@ let invert_ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -191,26 +152,15 @@ let invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -218,11 +168,6 @@ let invert_ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -234,29 +179,18 @@ let invert_ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let invert_ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -305,7 +239,7 @@ let invert_ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -340,8 +274,6 @@ let invert_ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - let invert_ntt_montgomery (v_K: usize) (#v_Vector: Type0) @@ -395,7 +327,7 @@ let invert_ntt_montgomery let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti index d83521180..ffe255831 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,36 +14,7 @@ val inv_ntt_layer_int_vec_step_reduce {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\ - Spec.Utils.is_i16b_array 28296 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1_ (#v_Vector: Type0) @@ -52,14 +23,8 @@ val invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 128 /\ invert_ntt_re_range_1 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 64) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_2_ (#v_Vector: Type0) @@ -68,14 +33,8 @@ val invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 64 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 32) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_3_ (#v_Vector: Type0) @@ -84,14 +43,8 @@ val invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 32 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_4_plus (#v_Vector: Type0) @@ -100,7 +53,7 @@ val invert_ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v layer >= 4 /\ v layer <= 7) + Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_montgomery @@ -109,5 +62,5 @@ val invert_ntt_montgomery {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires invert_ntt_re_range_1 re) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 0fe17e19e..737d106dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -132,9 +132,7 @@ let sample_matrix_A in v_A_transpose)) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in v_A_transpose let compute_As_plus_e @@ -171,7 +169,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -197,7 +195,7 @@ let compute_As_plus_e temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector matrix_element (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -205,7 +203,7 @@ let compute_As_plus_e v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (tt_as_ntt.[ i ] <: @@ -219,7 +217,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -232,8 +230,6 @@ let compute_As_plus_e let hax_temp_output:Prims.unit = result in tt_as_ntt -#push-options "--admit_smt_queries true" - let compute_message (v_K: usize) (#v_Vector: Type0) @@ -245,7 +241,7 @@ let compute_message t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -259,12 +255,12 @@ let compute_message let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product in result) in @@ -272,14 +268,10 @@ let compute_message Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result + Libcrux_ml_kem.Polynomial.impl__subtract_reduce #v_Vector v result in result -#pop-options - -#push-options "--admit_smt_queries true" - let compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -290,7 +282,7 @@ let compute_ring_element_v (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -304,12 +296,12 @@ let compute_ring_element_v let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product in result) in @@ -317,14 +309,10 @@ let compute_ring_element_v Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result + Libcrux_ml_kem.Polynomial.impl__add_message_error_reduce #v_Vector error_2_ message result in result -#pop-options - -#push-options "--admit_smt_queries true" - let compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -340,7 +328,7 @@ let compute_vector_u v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -385,7 +373,7 @@ let compute_vector_u temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector a_element (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -393,7 +381,7 @@ let compute_vector_u v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (result.[ i ] <: @@ -416,7 +404,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_error_reduce #v_Vector (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -425,5 +413,3 @@ let compute_vector_u result) in result - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 7c0e78e63..5d7fa10d5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -21,20 +21,8 @@ val sample_matrix_A (transpose: bool) : Prims.Pure (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun v_A_transpose_future -> - let v_A_transpose_future:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose_future - in - let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in - valid ==> - (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A - else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == - Spec.MLKEM.matrix_transpose matrix_A)) + Prims.l_True + (fun _ -> Prims.l_True) /// Compute  ◦ ŝ + ê val compute_As_plus_e @@ -76,20 +64,10 @@ val compute_message (secret_as_ntt u_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let secret_spec = to_spec_vector_t secret_as_ntt in - let u_spec = to_spec_vector_t u_as_ntt in - let v_spec = to_spec_poly_t v in - to_spec_poly_t res == - Spec.MLKEM.(poly_sub v_spec - (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute InverseNTT(tᵀ ◦ r\u{302}) + e₂ + message +/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message val compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -97,21 +75,10 @@ val compute_ring_element_v (tt_as_ntt r_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t tt_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e2_spec = to_spec_poly_t error_2_ in - let m_spec = to_spec_poly_t message in - let res_spec = to_spec_poly_t res in - res_spec == - Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #v_K tt_spec r_spec) e2_spec) - m_spec) /\ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute u := InvertNTT(Aᵀ ◦ r\u{302}) + e₁ +/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ val compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -120,17 +87,5 @@ val compute_vector_u t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (r_as_ntt error_1_: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t a_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e_spec = to_spec_vector_t error_1_ in - let res_spec = to_spec_vector_t res in - res_spec == - Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst new file mode 100644 index 000000000..535743eee --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst @@ -0,0 +1,109 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti new file mode 100644 index 000000000..e456bc52c --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti @@ -0,0 +1,87 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index 1ed6cc3c1..7080765e4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 4f57bcb17..f8995e737 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst new file mode 100644 index 000000000..f4da0ce27 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst @@ -0,0 +1,109 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti new file mode 100644 index 000000000..c98c5408d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti @@ -0,0 +1,95 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 8cab7c870..a7bb1aed1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index d71f032a7..19fcf2a03 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst new file mode 100644 index 000000000..c2a95d58f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst @@ -0,0 +1,109 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + key_pair diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti new file mode 100644 index 000000000..d1678d7e7 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti @@ -0,0 +1,95 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index 60a05dcc1..326b30645 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 9ce6a597e..4ba09a9a9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst new file mode 100644 index 000000000..363d3888a --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = + Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti new file mode 100644 index 000000000..a6890b7d0 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 1024 +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem1024PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem1024KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index c06297797..6137197ca 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index fa7a134dd..e62e15b56 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem1024_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 1024 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst new file mode 100644 index 000000000..c2dec7172 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst @@ -0,0 +1,105 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti new file mode 100644 index 000000000..d5042edbf --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti @@ -0,0 +1,85 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index d84c15890..fb044bdcf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 79530147b..fffe20cdb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst new file mode 100644 index 000000000..cb844f8f7 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst @@ -0,0 +1,105 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti new file mode 100644 index 000000000..a4993e55e --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti @@ -0,0 +1,93 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 58b2f0dc4..d05e003a6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 3d846ac51..978e3f095 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst new file mode 100644 index 000000000..617b0c6a8 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst @@ -0,0 +1,106 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key + randomness + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) + (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) + (sz 128) (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti new file mode 100644 index 000000000..0b4b731fb --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti @@ -0,0 +1,93 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index 97dccb937..47ebe2fe6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 3) (sz 192) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index eee7fb43d..277ef3588 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst new file mode 100644 index 000000000..e0359272f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst @@ -0,0 +1,49 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = + Libcrux_ml_kem.Mlkem512.generate_key_pair randomness + in + rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti new file mode 100644 index 000000000..95ba62654 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 512 +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem512PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem512KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index db5293cf8..4898aaa26 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 40a174dcb..9031c5873 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -1,41 +1,66 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let v_C1_BLOCK_SIZE_512_: usize = sz 320 +let v_ETA1: usize = sz 3 -let v_C1_SIZE_512_: usize = sz 640 +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_512_: usize = sz 128 +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = sz 768 +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = sz 800 +let v_RANK_512_: usize = sz 2 -let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = sz 768 +let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = sz 3 +let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = + (v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = sz 192 +let v_T_AS_NTT_ENCODED_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = sz 2 +let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = sz 128 +let v_SECRET_KEY_SIZE_512_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = sz 800 +let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 -let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = sz 768 +let v_C1_BLOCK_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_RANK_512_: usize = sz 2 +let v_C1_SIZE_512_: usize = v_C1_BLOCK_SIZE_512_ *! v_RANK_512_ -let v_SECRET_KEY_SIZE_512_: usize = sz 1632 +let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 -let v_T_AS_NTT_ENCODED_SIZE_512_: usize = sz 768 +let v_C2_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 +let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ -let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ /// Validate a private key. /// Returns `true` if valid, and `false` otherwise. @@ -55,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -74,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem512_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 512 Key Pair /// The input is a byte array of size @@ -90,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem512_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst new file mode 100644 index 000000000..7e0ebd6ca --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + pk + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti new file mode 100644 index 000000000..36d886da8 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti @@ -0,0 +1,107 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index 3ec064b3f..0313c715a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index 0b2855263..3263527b3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst new file mode 100644 index 000000000..ae48f86a4 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst @@ -0,0 +1,142 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + pk + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti new file mode 100644 index 000000000..8230f5e69 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti @@ -0,0 +1,118 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index 4608a3923..ecb81f50c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index 1b4e3414d..c167a2840 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst new file mode 100644 index 000000000..88cbacd2a --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst @@ -0,0 +1,142 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in + () + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + pk + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti new file mode 100644 index 000000000..9bf968e9a --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti @@ -0,0 +1,118 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in + () + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index d98e44837..9690ed48f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index c14954e5d..a44262014 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst new file mode 100644 index 000000000..df3caf4a2 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = + Libcrux_ml_kem.Mlkem768.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti new file mode 100644 index 000000000..6d9fbe622 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 768 +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem768PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem768KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 235881a7e..5d0bec2fe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 34bfea335..16febee24 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem768_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 768 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem768_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index d974fbef3..9462d2024 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -35,27 +35,15 @@ let ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -63,11 +51,6 @@ let ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -79,10 +62,19 @@ let ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -90,15 +82,6 @@ let ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -113,27 +96,15 @@ let ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -141,11 +112,6 @@ let ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -157,8 +123,11 @@ let ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -166,15 +135,6 @@ let ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -189,27 +149,15 @@ let ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -217,11 +165,6 @@ let ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -233,29 +176,18 @@ let ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -265,8 +197,13 @@ let ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) = + let _:Prims.unit = + if true + then + let _:Prims.unit = Hax_lib.v_assert (layer >=. sz 4 <: bool) in + () + in let step:usize = sz 1 <>! layer <: usize) @@ -303,7 +240,7 @@ let ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -338,10 +275,6 @@ let ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - -#push-options "--admit_smt_queries true" - let ntt_at_layer_7_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -350,22 +283,17 @@ let ntt_at_layer_7_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in - let _:Prims.unit = assert (v step == 8) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) step - (fun re j -> + (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let j:usize = j in - (v j < 8 ==> - (forall (i: nat). - (i >= v j /\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))) + let _:usize = temp_1_ in + true) re (fun re j -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let j:usize = j in - let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in let t:v_Vector = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector #FStar.Tactics.Typeclasses.solve @@ -413,8 +341,6 @@ let ntt_at_layer_7_ let hax_temp_output:Prims.unit = () <: Prims.unit in re -#pop-options - #push-options "--z3rlimit 200" let ntt_binomially_sampled_ring_element @@ -429,43 +355,43 @@ let ntt_binomially_sampled_ring_element in let zeta_i:usize = sz 1 in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 11207) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 11207 +! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 11207 +! (sz 2 *! sz 3328 <: usize) <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 11207 +! (sz 3 *! sz 3328 <: usize) <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 11207 +! (sz 4 *! sz 3328 <: usize) <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 11207 +! (sz 5 *! sz 3328 <: usize) <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -493,43 +419,43 @@ let ntt_vector_u let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 2 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 4 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 5 *! sz 3328 <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 6 *! sz 3328 <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 7 *! sz 3328 <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti index 8cf047654..7369fa656 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,35 +14,7 @@ val ntt_layer_int_vec_step {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_1_ (#v_Vector: Type0) @@ -51,21 +23,8 @@ val ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 63 /\ ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_1 re_future /\ v zeta_i_future == 127) - -[@@ "opaque_to_smt"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_2_ (#v_Vector: Type0) @@ -74,21 +33,8 @@ val ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 31 /\ ntt_re_range_3 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_2 re_future /\ v zeta_i_future == 63) - -[@@ "opaque_to_smt"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_3_ (#v_Vector: Type0) @@ -97,14 +43,8 @@ val ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 15 /\ ntt_re_range_4 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_3 re_future /\ v zeta_i_future == 31) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_4_plus (#v_Vector: Type0) @@ -113,46 +53,15 @@ val ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - v layer >= 4 /\ v layer <= 7 /\ - ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\ - (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0))) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\ - (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\ - (v layer == 7 ==> v zeta_i_future == 1)) - -[@@ "opaque_to_smt"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_7_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - forall i. - i < 8 ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])) + Prims.l_True (fun _ -> Prims.l_True) val ntt_binomially_sampled_ring_element diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 257bb1029..f8397d064 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,19 +9,13 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let get_zeta (i: usize) = - let result:i16 = v_ZETAS_TIMES_MONTGOMERY_R.[ i ] in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let impl_2__add_error_reduce +let impl__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -65,14 +59,13 @@ let impl_2__add_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__add_message_error_reduce +let impl__add_message_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self message result: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -122,14 +115,13 @@ let impl_2__add_message_error_reduce in result -let impl_2__add_standard_error_reduce +let impl__add_standard_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -171,14 +163,13 @@ let impl_2__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__poly_barrett_reduce +let impl__poly_barrett_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -210,14 +201,13 @@ let impl_2__poly_barrett_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__subtract_reduce +let impl__subtract_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self b: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let b:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -260,7 +250,7 @@ let impl_2__subtract_reduce in b -let impl_2__ZERO +let impl__ZERO (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -280,14 +270,14 @@ let impl_2__ZERO <: t_PolynomialRingElement v_Vector -let impl_2__from_i16_array +let impl__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (a: t_Slice i16) = - let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -325,15 +315,14 @@ let impl_2__from_i16_array in result -let impl_2__ntt_multiply +let impl__ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in - let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -355,10 +344,22 @@ let impl_2__ntt_multiply #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) (rhs.f_coefficients.[ i ] <: v_Vector) - (get_zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 4 *! i <: usize) <: usize ] <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 + <: + usize ] + <: + i16) <: v_Vector) <: @@ -369,7 +370,7 @@ let impl_2__ntt_multiply in out -let impl_2__add_to_ring_element +let impl__add_to_ring_element (#v_Vector: Type0) (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -377,7 +378,6 @@ let impl_2__add_to_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index 7956d29e4..28cadfac0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,7 +10,6 @@ let _ = () let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = - let _:Prims.unit = assert_norm (pow2 16 == 65536) in let list = [ (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s; @@ -29,85 +28,59 @@ let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); Rust_primitives.Hax.array_of_list 128 list -val get_zeta (i: usize) - : Prims.Pure i16 - (requires i <. sz 128) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 1664 result) - type t_PolynomialRingElement (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_coefficients:t_Array v_Vector (sz 16) } -let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit() - -let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i])) - -let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) - let v_VECTORS_IN_RING_ELEMENT: usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR -val impl_2__add_error_reduce +val impl__add_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_message_error_reduce +val impl__add_message_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_standard_error_reduce +val impl__add_standard_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__poly_barrett_reduce +val impl__poly_barrett_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__subtract_reduce +val impl__subtract_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__ZERO: +val impl__ZERO: #v_Vector: Type0 -> {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> Prims.unit -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__from_i16_array +val impl__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: t_Slice i16) - : Prims.Pure (t_PolynomialRingElement v_Vector) - (requires - (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) - (fun _ -> Prims.l_True) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two `KyberPolynomialRingElement`s in their NTT representations, /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, -/// the `iᵗʰ` coefficient of the product `k\u{302}` is determined by the calculation: +/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: /// ```plaintext /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1)) /// ``` @@ -121,11 +94,11 @@ val impl_2__from_i16_array /// end for /// return ĥ /// ``` -/// We say \"almost\" because the coefficients of the ring element output by +/// We say "almost" because the coefficients of the ring element output by /// this function are in the Montgomery domain. /// The NIST FIPS 203 standard can be found at /// . -val impl_2__ntt_multiply +val impl__ntt_multiply (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) @@ -133,7 +106,7 @@ val impl_2__ntt_multiply /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise /// sum of their constituent coefficients. -val impl_2__add_to_ring_element +val impl__add_to_ring_element (#v_Vector: Type0) (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 13f72a5df..a8fe3c259 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -144,8 +144,6 @@ let sample_from_uniform_distribution_next <: (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) -#push-options "--admit_smt_queries true" - let sample_from_xof (v_K: usize) (#v_Vector #v_Hasher: Type0) @@ -164,13 +162,13 @@ let sample_from_xof Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K in let xof_state:v_Hasher = - Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve seeds in let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_three_blocks #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve xof_state @@ -203,7 +201,7 @@ let sample_from_xof temp_0_ in let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_block #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve xof_state @@ -231,7 +229,7 @@ let sample_from_xof out (fun s -> let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } <: Core.Ops.Range.t_Range usize ] @@ -240,10 +238,6 @@ let sample_from_xof <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - -#push-options "--z3rlimit 800" - let sample_from_binomial_distribution_2_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -251,10 +245,6 @@ let sample_from_binomial_distribution_2_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length randomness == 128) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) @@ -279,10 +269,6 @@ let sample_from_binomial_distribution_2_ in let even_bits:u32 = random_bits_as_u32 &. 1431655765ul in let odd_bits:u32 = (random_bits_as_u32 >>! 1l <: u32) &. 1431655765ul in - let _:Prims.unit = - logand_lemma random_bits_as_u32 1431655765ul; - logand_lemma (random_bits_as_u32 >>! 1l) 1431655765ul - in let coin_toss_outcomes:u32 = even_bits +! odd_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0ul Core.Num.impl__u32__BITS @@ -303,15 +289,6 @@ let sample_from_binomial_distribution_2_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 3ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 3); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 3); - assert (v chunk_number <= 31); - assert (v (sz 8 *! chunk_number <: usize) <= 248); - assert (v (cast (outcome_set >>! 2l <: u32) <: usize) <= 7) - in let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -320,11 +297,7 @@ let sample_from_binomial_distribution_2_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options - -#push-options "--z3rlimit 800" + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution_3_ (#v_Vector: Type0) @@ -333,10 +306,6 @@ let sample_from_binomial_distribution_3_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length randomness == 192) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 3) @@ -359,11 +328,6 @@ let sample_from_binomial_distribution_3_ let first_bits:u32 = random_bits_as_u24 &. 2396745ul in let second_bits:u32 = (random_bits_as_u24 >>! 1l <: u32) &. 2396745ul in let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in - let _:Prims.unit = - logand_lemma random_bits_as_u24 2396745ul; - logand_lemma (random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma (random_bits_as_u24 >>! 2l <: u32) 2396745ul - in let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0l 24l @@ -384,15 +348,6 @@ let sample_from_binomial_distribution_3_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 7ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 7); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 7); - assert (v chunk_number <= 63); - assert (v (sz 4 *! chunk_number <: usize) <= 252); - assert (v (cast (outcome_set /! 6l <: i32) <: usize) <= 3) - in let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -401,9 +356,7 @@ let sample_from_binomial_distribution_3_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution (v_ETA: usize) @@ -413,7 +366,6 @@ let sample_from_binomial_distribution Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = assert ((v (cast v_ETA <: u32) == 2) \/ (v (cast v_ETA <: u32) == 3)) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = match cast (v_ETA <: usize) <: u32 with | 2ul -> sample_from_binomial_distribution_2_ #v_Vector randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index 701fc9640..737a33ecc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index ca0e4382e..5d0e17d89 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,7 +9,7 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let to_unsigned_field_modulus +let to_unsigned_field_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -21,18 +21,63 @@ let to_unsigned_field_modulus let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_then_decompress_11_ +let deserialize_then_decompress_10_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 10l + coefficient + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + re + +let deserialize_then_decompress_11_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) @@ -79,11 +124,8 @@ let deserialize_then_decompress_4_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) @@ -130,11 +172,8 @@ let deserialize_then_decompress_5_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) @@ -194,7 +233,7 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -240,7 +279,7 @@ let deserialize_then_decompress_message let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_then_decompress_ring_element_v +let deserialize_then_decompress_ring_element_u (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -248,10 +287,27 @@ let deserialize_then_decompress_ring_element_v Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized + | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let deserialize_then_decompress_ring_element_v + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized @@ -272,9 +328,8 @@ let deserialize_to_reduced_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -311,12 +366,10 @@ let deserialize_to_reduced_ring_element in re) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result + re let deserialize_ring_elements_reduced - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -355,7 +408,7 @@ let deserialize_ring_elements_reduced deserialized_pk let deserialize_ring_elements_reduced_out - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -367,18 +420,14 @@ let deserialize_ring_elements_reduced_out v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk + deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE v_K #v_Vector public_key deserialized_pk in - let _:Prims.unit = admit () (* Panic freedom *) in - result + deserialized_pk let deserialize_to_uncompressed_ring_element (#v_Vector: Type0) @@ -387,9 +436,8 @@ let deserialize_to_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -432,29 +480,23 @@ let compress_then_serialize_10_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert_norm (pow2 10 == 1024) in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in let i:usize = i in - let _:Prims.unit = assert (20 * v i + 20 <= 320) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 10l - (to_unsigned_field_modulus #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -487,11 +529,7 @@ let compress_then_serialize_10_ in serialized) in - let result:t_Array u8 v_OUT_LEN = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--admit_smt_queries true" + serialized let compress_then_serialize_11_ (v_OUT_LEN: usize) @@ -517,7 +555,7 @@ let compress_then_serialize_11_ Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 11l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -552,8 +590,6 @@ let compress_then_serialize_11_ in serialized -#pop-options - let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -562,29 +598,22 @@ let compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert_norm (pow2 4 == 16) in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> - (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in - let _:Prims.unit = assert (8 * v i + 8 <= 128) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 4l - (to_unsigned_field_modulus #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -617,13 +646,9 @@ let compress_then_serialize_4_ in serialized) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -#push-options "--admit_smt_queries true" - let compress_then_serialize_5_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -647,7 +672,7 @@ let compress_then_serialize_5_ Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 5l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -683,8 +708,6 @@ let compress_then_serialize_5_ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -#pop-options - let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -696,21 +719,16 @@ let compress_then_serialize_message let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in let i:usize = i in - let _:Prims.unit = assert (2 * v i + 2 <= 32) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector + to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let coefficient_compressed:v_Vector = @@ -758,11 +776,6 @@ let compress_then_serialize_ring_element_u Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in let result:t_Array u8 v_OUT_LEN = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re @@ -785,11 +798,6 @@ let compress_then_serialize_ring_element_v (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (out: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in let out, result:(t_Slice u8 & Prims.unit) = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) @@ -807,85 +815,6 @@ let compress_then_serialize_ring_element_v let hax_temp_output:Prims.unit = result in out -let deserialize_then_decompress_10_ - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let v__coefficients_length:usize = - Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 10l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) - in - re - -let deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized - | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - let serialize_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -893,26 +822,20 @@ let serialize_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert_norm (pow2 12 == 4096) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 384) = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in let i:usize = i in - let _:Prims.unit = assert (24 * v i + 24 <= 384) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector + to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let bytes:t_Array u8 (sz 24) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 415926dbf..2784627b7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,8 +14,8 @@ let field_modulus_range (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: v_Vector) = let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\ - v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -3329 /\ + v (Seq.index coef i) < 3329 [@@ "opaque_to_smt"] let coefficients_field_modulus_range (#v_Vector: Type0) @@ -23,7 +23,7 @@ let coefficients_field_modulus_range (#v_Vector: Type0) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) -val to_unsigned_field_modulus +val to_unsigned_field_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: v_Vector) @@ -35,15 +35,22 @@ val to_unsigned_field_modulus forall (i: nat). i < 16 ==> v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < - v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < 3329) + +val deserialize_then_decompress_10_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_then_decompress_11_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_4_ @@ -51,7 +58,7 @@ val deserialize_then_decompress_4_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_5_ @@ -59,7 +66,7 @@ val deserialize_then_decompress_5_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_message @@ -74,6 +81,21 @@ val deserialize_then_decompress_message Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == Spec.MLKEM.decode_then_decompress_message serialized) +val deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires + (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && + (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + (ensures + fun result -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == + Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized) + val deserialize_then_decompress_ring_element_v (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -96,14 +118,12 @@ val deserialize_to_reduced_ring_element {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) + Prims.l_True (fun _ -> Prims.l_True) /// See [deserialize_ring_elements_reduced_out]. val deserialize_ring_elements_reduced - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) @@ -125,20 +145,13 @@ val deserialize_ring_elements_reduced /// modulus. /// This function MUST NOT be used on secret inputs. val deserialize_ring_elements_reduced_out - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) - (ensures - fun result -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result - in - forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i)) + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_to_uncompressed_ring_element (#v_Vector: Type0) @@ -159,9 +172,7 @@ val compress_then_serialize_10_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_11_ (v_OUT_LEN: usize) @@ -175,24 +186,14 @@ val compress_then_serialize_4_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_5_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_message (#v_Vector: Type0) @@ -242,29 +243,6 @@ val compress_then_serialize_ring_element_v Spec.MLKEM.compress_then_encode_v v_COMPRESSION_FACTOR (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) -val deserialize_then_decompress_10_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) - (fun _ -> Prims.l_True) - -val deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) - (ensures - fun result -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == - Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized) - val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti deleted file mode 100644 index 1910c0b08..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti +++ /dev/null @@ -1,48 +0,0 @@ -module Libcrux_ml_kem.Types.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () - -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPrivateKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } - -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; - f_seed_for_A:t_Array u8 (sz 32); - f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K -} - -/// An unpacked ML-KEM IND-CCA Private Key -type t_MlKemPrivateKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_ind_cpa_private_key:t_IndCpaPrivateKeyUnpacked v_K v_Vector; - f_implicit_rejection_value:t_Array u8 (sz 32) -} - -/// An unpacked ML-KEM IND-CCA Private Key -type t_MlKemPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_ind_cpa_public_key:t_IndCpaPublicKeyUnpacked v_K v_Vector; - f_public_key_hash:t_Array u8 (sz 32) -} - -/// An unpacked ML-KEM KeyPair -type t_MlKemKeyPairUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector -} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 75ff693ea..9e95712a0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -1,27 +1,27 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_7__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_14__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_21__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value +let impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value +let impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value +let impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_21__from +let impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__into_parts +let impl__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = @@ -29,7 +29,7 @@ let impl_21__into_parts <: (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -let impl_21__new +let impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -51,22 +51,22 @@ let impl_21__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__pk +let impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk + = impl_21__as_slice v_PUBLIC_KEY_SIZE self.f_pk -let impl_21__private_key +let impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_sk -let impl_21__public_key +let impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_pk -let impl_21__sk +let impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk + = impl_14__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index ca59dbe5c..b47d719e2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -1,25 +1,25 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// The number of bytes -val impl_6__len: v_SIZE: usize -> Prims.unit +val impl_7__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_13__len: v_SIZE: usize -> Prims.unit +val impl_14__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_20__len: v_SIZE: usize -> Prims.unit +val impl_21__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -27,7 +27,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -40,7 +40,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -48,19 +48,14 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip } /// A reference to the raw byte slice. -val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -68,7 +63,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -81,7 +76,7 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -89,19 +84,14 @@ let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPr } /// A reference to the raw byte slice. -val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -109,7 +99,7 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -122,7 +112,7 @@ let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -130,13 +120,8 @@ let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu } /// A reference to the raw byte slice. -val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// An ML-KEM key pair type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { @@ -145,19 +130,16 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { } /// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_21__from +val impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) Prims.l_True - (ensures - fun result -> - let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - result.f_sk == sk /\ result.f_pk == pk) + (fun _ -> Prims.l_True) /// Separate this key into the public and private key. -val impl_21__into_parts +val impl__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -165,7 +147,7 @@ val impl_21__into_parts (fun _ -> Prims.l_True) /// Creates a new [`MlKemKeyPair`]. -val impl_21__new +val impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -174,31 +156,31 @@ val impl_21__new (fun _ -> Prims.l_True) /// Get a reference to the raw public key bytes. -val impl_21__pk +val impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPrivateKey`]. -val impl_21__private_key +val impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPublicKey`]. -val impl_21__public_key +val impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the raw private key bytes. -val impl_21__sk +val impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = +let impl_1 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -209,7 +191,7 @@ let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = +let impl_8 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -220,7 +202,7 @@ let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = +let impl_15 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -231,7 +213,7 @@ let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_2 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); @@ -239,7 +221,7 @@ let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_9 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); @@ -247,7 +229,7 @@ let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_16 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); @@ -255,7 +237,7 @@ let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_6 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -286,7 +268,7 @@ let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_13 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -317,7 +299,7 @@ let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_20 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst index 2ee26ba5e..7af62082c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -26,21 +26,4 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = <: t_Slice u8) in - let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in - let _:Prims.unit = - assert (Seq.slice out (Seq.length slice) (v v_LEN) == - Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN)) - in - let _:Prims.unit = - assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i) - in - let _:Prims.unit = - assert (forall i. - (i >= Seq.length slice && i < v v_LEN) ==> - Seq.index out i == - Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice)) - in - let _:Prims.unit = - Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy)) - in out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti index c87b2d316..df9ce411d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,8 +7,4 @@ open FStar.Mul val into_padded_array (v_LEN: usize) (slice: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy) - ) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti index 0d74da846..6f90dfca8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Variant -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -27,18 +27,18 @@ class t_Variant (v_Self: Type0) = { v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE + -> Type0; f_kdf_post: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == shared_secret}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> + t_Array u8 (sz 32) + -> Type0; f_kdf: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> @@ -53,15 +53,15 @@ class t_Variant (v_Self: Type0) = { v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred}; + t_Slice u8 + -> Type0; f_entropy_preprocess_post: v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == randomness}; + t_Slice u8 -> + t_Array u8 (sz 32) + -> Type0; f_entropy_preprocess: v_K: usize -> #v_Hasher: Type0 -> @@ -112,7 +112,7 @@ let impl: t_Variant t_MlKem = (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -> - (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32); + true); f_kdf_post = (fun @@ -124,9 +124,9 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == shared_secret); + true); f_kdf = (fun @@ -152,7 +152,7 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) -> - (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32); + true); f_entropy_preprocess_post = (fun @@ -162,9 +162,9 @@ let impl: t_Variant t_MlKem = i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == randomness); + true); f_entropy_preprocess = (fun diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index 14c6d47e2..81d8b74e0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -1,204 +1,59 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = () +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i)) - in - result +let bitwise_and_with_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result +let multiply_by_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = () +let shift_right (v_SHIFT_BY: i32) (vector: u8) = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector -let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x *. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant) - in - result +let sub (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs -let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result - -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = () - -let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i)) - in - result - -#push-options "--z3rlimit 200" - -let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let barrett_reduce (vector: u8) = + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane t0 i == - (cast (((cast (get_lane vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) - <: - i16)) - in - let t512:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER <: u8) in - let _:Prims.unit = assert (forall i. get_lane t512 i == 512s) in - let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 t512 + let t:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s <: u8) in - let _:Prims.unit = assert (forall i. get_lane t1 i == get_lane t0 i +. 512s) in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t1 - in - let _:Prims.unit = - assert (forall i. get_lane quotient i == (((get_lane t1 i) <: i16) >>! (10l <: i32))) - in - let quotient_times_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t in + let quotient_times_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 quotient (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane quotient_times_field_modulus i == - get_lane quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + u8) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == get_lane vector i -. get_lane quotient_times_field_modulus i); - assert (forall i. get_lane result i == Spec.Utils.barrett_red (get_lane vector i)); - assert (forall i. v (get_lane result i) % 3329 == v (get_lane vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus -#push-options "--z3rlimit 100" - -let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let cond_subtract_3329_ (vector: u8) = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in - let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let vv_minus_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus in - let _:Prims.unit = - assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s) - in - let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l)) - in - let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sign_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus in + let conditional_add_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus in - let _:Prims.unit = - assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus - conditional_add_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == - (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i)); - assert (forall i. - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus + conditional_add_field_modulus -#push-options "--z3rlimit 200" - -let montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - = - let vec_constant:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let _:Prims.unit = assert (forall i. get_lane vec_constant i == constant) in - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector vec_constant - in - let _:Prims.unit = assert (forall i. get_lane value_low i == get_lane vector i *. constant) in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constant (vector: u8) (constant: i16) = + let constant:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant in + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector constant in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -206,68 +61,20 @@ let montgomery_multiply_by_constant <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector vec_constant - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vector i) <: i32) *. (cast (get_lane vec_constant i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vector i) constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result - -#pop-options + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector constant in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#push-options "--z3rlimit 100" - -let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane value_low i == get_lane vec i *. get_lane constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -275,69 +82,20 @@ let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vec i) <: i32) *. (cast (get_lane constants i) <: i32)) >>! 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. - get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vec i) (get_lane constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#pop-options - -#push-options "--z3rlimit 100" - -let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane128 value_low i == get_lane128 vec i *. get_lane128 constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let montgomery_multiply_m128i_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -345,74 +103,29 @@ let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Av <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let _:Prims.unit = assert (forall i. get_lane128 k i == get_lane128 value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane128 modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 modulus)); - assert (forall i. - get_lane128 k_times_modulus i == - (cast (((cast (get_lane128 k i) <: i32) *. (cast (get_lane128 modulus i) <: i32)) >>! 16l) - <: - i16)) + u8) in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane128 value_high i == - (cast (((cast (get_lane128 vec i) <: i32) *. (cast (get_lane128 constants i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus - in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. - get_lane128 result i == (get_lane128 value_high i) -. (get_lane128 k_times_modulus i)); - assert (forall i. - get_lane128 result i == - Spec.Utils.mont_mul_red_i16 (get_lane128 vec i) (get_lane128 constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (forall (i: nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result)); - assert (forall i. - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus -#pop-options - -let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec +let montgomery_reduce_i32s (v: u8) = + let k:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let k_times_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: @@ -420,19 +133,9 @@ let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result + u8) in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l v in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result in + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti index 9bc156305..ad8d448c9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti @@ -1,139 +1,34 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s -open Libcrux_intrinsics.Avx2_extract +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i))) +val bitwise_and_with_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) +val multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane vector i) * v constant)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant)) +val shift_right (v_SHIFT_BY: i32) (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - -val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i))) +val sub (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// See Section 3.2 of the implementation notes document for an explanation /// of this code. -val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329))) +val barrett_reduce (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (pow2 12 - 1) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. - i < 16 ==> - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i - )) +val cond_subtract_3329_ (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 constant) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329))) +val montgomery_multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329))) +val montgomery_multiply_by_constants (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\ - (forall i. - i < 8 ==> - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))) +val montgomery_multiply_m128i_by_constants (v c: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (3328 * pow2 16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array (3328 + 1665) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329)) - ) +val montgomery_reduce_i32s (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst index 87c17cd2a..d40f2d67a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst @@ -1,36 +1,27 @@ module Libcrux_ml_kem.Vector.Avx2.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let mulhi_mm256_epi32 (lhs rhs: u8) = + let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs in + let prod13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l lhs <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8) in Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi32 prod02 prod13 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 <: u8) -let compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) = + let field_modulus_halved:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) @@ -43,63 +34,47 @@ let compress_ciphertext_coefficient <: i32) in - let compression_factor:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l - in - let coefficient_bits_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let compression_factor:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l in + let coefficient_bits_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < Prims.l_True) +val mulhi_mm256_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype /\ - range (v (1l < Prims.l_True) +val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val compress_message_coefficient (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val decompress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype) - (fun _ -> Prims.l_True) +val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst index 7fb1ccee4..68f788df8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst @@ -1,118 +1,76 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - -let inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta3 zeta3 0s 0s zeta2 zeta2 0s 0s zeta1 zeta1 0s 0s zeta0 zeta0 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum + u8) in + let sum:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 204l sum sum_times_zetas -#pop-options - -let inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs + u8) in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta1 zeta1 zeta1 zeta1 0s 0s 0s 0s zeta0 zeta0 zeta0 zeta0 0s 0s 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 240l sum sum_times_zetas -let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let inv_ntt_layer_3_step (vector: u8) (zeta: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants upper_coefficients - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16) (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 @@ -120,92 +78,44 @@ let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 z (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let ntt_layer_3_step (vector: u8) (zeta: i16) = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) = - let shuffle_with:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let shuffle_with:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with - in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds - in - let left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with in + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds in + let left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds in + let right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 right (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg (cast (zeta3 <: i16) <: @@ -220,28 +130,24 @@ let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta (Core.Ops.Arith.Neg.neg (cast (zeta0 <: i16) <: i32) <: i32) (cast (zeta0 <: i16) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right - in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right in + let products_left:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_left in - let rhs_adjacent_swapped:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let rhs_adjacent_swapped:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 lhs rhs_adjacent_swapped in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_right in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right - in + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 170l products_left products_right diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti index b7f8a6c7d..e86b8344d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti @@ -1,51 +1,26 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let ntt_multiply__PERMUTE_WITH: i32 = 216l -val inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) +val inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_3_step (vector: u8) (zeta: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_3_step (vector: u8) (zeta: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti deleted file mode 100644 index fe64003c4..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti +++ /dev/null @@ -1,30 +0,0 @@ -module Libcrux_ml_kem.Vector.Avx2.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -val deserialize_11_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - Prims.l_True - (fun _ -> Prims.l_True) - -val serialize_11_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) - Prims.l_True - (fun _ -> Prims.l_True) - -type t_PortableVector = { f_elements:t_Array i16 (sz 16) } - -val from_i16_array (array: t_Array i16 (sz 16)) - : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (v: t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val to_i16_array (v: t_PortableVector) - : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) - -val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst index a36ffa505..33c894793 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst @@ -1,36 +1,19 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input - in - let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let potential_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input in + let compare_with_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi16 field_modulus potential_coefficients in let good:t_Array u8 (sz 2) = Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ compare_with_field_modulus in - let _:Prims.unit = - assert (v (cast (good.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (good.[ sz 1 ] <: u8) <: usize) < 256); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output - ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end - = - (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) +! sz 8 - })) - in let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_kem.Vector.Rej_sample_table.v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 0 ] <: @@ -38,13 +21,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles in let output:t_Slice i16 = @@ -60,13 +43,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles in let output:t_Slice i16 = @@ -93,5 +76,3 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = sampled_count +! (cast (Core.Num.impl__u8__count_ones (good.[ sz 1 ] <: u8) <: u32) <: usize) in output, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti index d75884373..361ba6196 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rejection_sample (input: t_Slice u8) (output: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 input <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 output <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let output_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length output_future == Seq.length output /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index d0c07fe84..14ccc0878 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Avx2.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,213 +10,236 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -[@@"opaque_to_smt"] +let deserialize_1_ (bytes: t_Slice u8) = + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) + in + let shift_lsb_to_msb:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - (); - (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync ()))) + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy + 8uy 7uy 6uy 5uy 5uy 4uy + <: + u8) in - let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in - let result:t_Array u8 (sz 2) = - let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients upper_coefficients in - let _:Prims.unit = - assert (forall (i: nat{i < 8}). - get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs in - result - -#pop-options + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <>! 8l <: i32) <: u8) in - let _:Prims.unit = - introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + serialized -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 12uy vector +let serialize_10_ (vector: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 - (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_10___serialize_10_vec vector + u8) in - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -234,6 +257,9 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in + let upper_8_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -264,15 +290,33 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError) -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize_12_ (vector: u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_12___serialize_12_vec vector + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < combined i = vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). - bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) - in - Core.Result.impl__unwrap #(t_Array u8 (sz 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) - -#pop-options - -[@@"opaque_to_smt"] - -let deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy - 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy - 9uy 8uy 8uy 7uy 7uy 6uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 10 - then - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32) - else 0))) - in - coefficients - -let deserialize_10_ (bytes: t_Slice u8) = - let lower_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } - <: - Core.Ops.Range.t_Range usize ] - in - let upper_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 } - <: - Core.Ops.Range.t_Range usize ] - in - deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - -[@@"opaque_to_smt"] - -let deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy - 3uy 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy - 8uy 7uy 6uy 5uy 5uy 4uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 12 - then - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64) - else 0))) - in - coefficients - -let deserialize_12_ (bytes: t_Slice u8) = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 24 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients - -let deserialize_5_ (bytes: t_Slice u8) = - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) - (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) - (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) - (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) - (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) - in - let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 coefficients coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y - 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_1_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1___deserialize_1_u8s (a b: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j)) +val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 4 - then 0 - else - let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j)) +val serialize_1_ (vector: u8) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_concat_pairs_n} +val serialize_10_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 2)) - (requires forall i. i % 16 >= 1 ==> vector i == 0) - (ensures - fun result -> - let result:t_Array u8 (sz 2) = result in - forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) +val serialize_12_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 160}). - vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80))) +val serialize_5_ (vector: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 192}). - vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) +val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 20)) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 20) = r in - forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) - -val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 24)) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 24) = r in - forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) - -val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 8)) - (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 8) = r in - forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) - -include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} - -val deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) - -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 20) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 20)) 8 j)) - -val deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) - -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 24) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) - -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 10) - (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_11_ (vector: u8) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (vector: u8) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst index 8a9c2057c..5297d904c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst @@ -1,33 +1,17 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +let from_i16_array (array: t_Slice i16) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector -let vec_from_i16_array (array: t_Slice i16) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let vec_zero (_: Prims.unit) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result +let zero (_: Prims.unit) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector -let vec_to_i16_array (v: t_SIMD256Vector) = +let to_i16_array (v: t_SIMD256Vector) = let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in let output:t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements in - let result:t_Array i16 (sz 16) = output in - let _:Prims.unit = admit () (* Panic freedom *) in - result + output diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index b15ca262d..b1401a90e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -1,77 +1,40 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +type t_SIMD256Vector = { f_elements:u8 } -noeq +val from_i16_array (array: t_Slice i16) + : Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) -type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +val zero: Prims.unit -> Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) -let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements - -val vec_from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == array) - -val vec_zero: Prims.unit - -> Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == Seq.create 16 0s) - -val vec_to_i16_array (v: t_SIMD256Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: t_SIMD256Vector) -> true); - f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true); - f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x - } +val to_i16_array (v: t_SIMD256Vector) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = +let impl_2: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> impl.f_repr out == Seq.create 16 0s); - f_ZERO = (fun (_: Prims.unit) -> vec_zero ()); + f_ZERO = (fun (_: Prims.unit) -> zero ()); f_from_i16_array_pre = (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); f_from_i16_array_post = (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> impl.f_repr out == array); - f_from_i16_array = (fun (array: t_Slice i16) -> vec_from_i16_array array); + f_from_i16_array = (fun (array: t_Slice i16) -> from_i16_array array); f_to_i16_array_pre = (fun (x: t_SIMD256Vector) -> true); f_to_i16_array_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> out == impl.f_repr x); - f_to_i16_array = (fun (x: t_SIMD256Vector) -> vec_to_i16_array x); + f_to_i16_array = (fun (x: t_SIMD256Vector) -> to_i16_array x); f_add_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> @@ -173,7 +136,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } <: t_SIMD256Vector); @@ -217,7 +179,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress_1_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -244,7 +205,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -292,7 +252,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -312,7 +271,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } @@ -330,7 +288,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -354,7 +311,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -378,7 +334,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -397,7 +352,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -437,7 +391,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -505,7 +458,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_5_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements); f_deserialize_5_pre = @@ -514,7 +466,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_5_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes } <: t_SIMD256Vector); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst index a36b00a94..3e4a911e1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti index b765f0915..9bd656a73 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst index c6f54fd1c..42233fa2d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti index 0a2c883cb..c2afb3843 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst index d00b944c4..d95f4879d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti index a280dcc7a..b676dbeec 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index cadc20681..82205d443 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -360,6 +360,150 @@ let serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in result +let deserialize_10_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_11_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_4_ (v: t_Slice u8) = + let input:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let input_i16s:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + input + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_5_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + let deserialize_1_ (a: t_Slice u8) = let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in @@ -499,6 +643,17 @@ let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list +let serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_from_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + (out_i16s <: t_Slice i16) + in + Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + out + let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in @@ -566,161 +721,6 @@ let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in Core.Num.impl__u64__to_le_bytes sum -let deserialize_10_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_11_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_4_ (v: t_Slice u8) = - let input:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let input_i16s:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - input - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_5_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_from_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - (out_i16s <: t_Slice i16) - in - Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - out - let serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti index 3de7409f7..024da1972 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -16,44 +16,44 @@ val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (a: t_Slice u8) +val deserialize_10_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_ (v: t_Slice u8) +val deserialize_11_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_10_ (v: t_Slice u8) +val deserialize_4_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (v: t_Slice u8) +val deserialize_5_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (v: t_Slice u8) +val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (v: t_Slice u8) +val deserialize_12_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst index 116acadf7..12686d3bb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst @@ -1,51 +1,41 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let repr (x:t_SIMD128Vector) = admit() - let v_ZERO (_: Prims.unit) = - let result:t_SIMD128Vector = - { - f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; - f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + { + f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; + f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s + } + <: + t_SIMD128Vector let from_i16_array (array: t_Slice i16) = - let result:t_SIMD128Vector = - { - f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] + { + f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: - t_Slice i16); - f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: - t_Slice i16) - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + t_SIMD128Vector let to_i16_array (v: t_SIMD128Vector) = let out:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in @@ -83,6 +73,4 @@ let to_i16_array (v: t_SIMD128Vector) = <: t_Slice i16) in - let result:t_Array i16 (sz 16) = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti index c5dd6b6ab..d80603ff5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,28 +8,10 @@ type t_SIMD128Vector = { f_high:u8 } -val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16) - -val v_ZERO: Prims.unit - -> Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == Seq.create 16 0s) +val v_ZERO: Prims.unit -> Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == array) + : Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (v: t_SIMD128Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst index f41cefe46..d33fcee14 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,7 +7,6 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () let rej_sample (a: t_Slice u8) (result: t_Slice i16) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti index f3280f83e..b68a453af 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,48 +7,26 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () val rej_sample (a: t_Slice u8) (result: t_Slice i16) : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); - f_repr_post - = - (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Neon.Vector_type.v_ZERO ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = - (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == array); + (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Neon.Vector_type.from_i16_array array); @@ -56,7 +34,7 @@ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = f_to_i16_array_post = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst index bcb88d903..3eb5abd35 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst @@ -1,34 +1,9 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--z3rlimit 150 --split_queries always" - -let get_n_least_significant_bits (n: u8) (value: u32) = - let res:u32 = value &. ((1ul <>! 1l <: i32) - in - let _:Prims.unit = - assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25) - in - let _:Prims.unit = assert (v t / pow2 26 < 9) in - let _:Prims.unit = assert (v t / pow2 26 > - 9) in - let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in - let _:Prims.unit = assert (v quotient = v t / pow2 26) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in - let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in - let _:Prims.unit = - calc ( == ) { - v result % 3329; - ( == ) { () } - (v value - (v quotient * 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 } - (v value - (v quotient * 3329) % 3329) % 3329; - ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 } - (v value - 0) % 3329; - ( == ) { () } - (v value) % 3329; - } + (v_BARRETT_R >>! 1l <: i32) in - result - -#pop-options - -#push-options "--z3rlimit 500 --split_queries always" + let quotient:i16 = cast (t >>! v_BARRETT_SHIFT <: i32) <: i16 in + value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) let montgomery_reduce_element (value: i32) = let _:i32 = v_MONTGOMERY_R in @@ -73,320 +22,181 @@ let montgomery_reduce_element (value: i32) = (cast (cast (value <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) in - let _:Prims.unit = - assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert (v k == (v value @% pow2 16) * 62209); - assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15); - assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329) - in let k_times_modulus:i32 = (cast (cast (k <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) in - let _:Prims.unit = - Spec.Utils.lemma_mul_i16b (pow2 15) - (3329) - (cast (k <: i32) <: i16) - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus) - in let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert (v c == v k_times_modulus / pow2 16); - assert (Spec.Utils.is_i16b 1665 c) - in let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert (Spec.Utils.is_i16b 3328 value_high) - in - let res:i16 = value_high -! c in - let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in - let _:Prims.unit = - assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res) - in - let _:Prims.unit = - calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) - (pow2 16) - 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0) - in - let _:Prims.unit = - calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) - (pow2 16 * 169) - 3329 } - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) } - (v value * 169) % 3329; - } - in - res - -#pop-options - -#push-options "--z3rlimit 300" + value_high -! c let montgomery_multiply_fe_by_fer (fe fer: i16) = - let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in - let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in - montgomery_reduce_element product - -#pop-options - -#push-options "--z3rlimit 150" + montgomery_reduce_element ((cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) <: i32) let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) +! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) + v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs -#pop-options - -#push-options "--z3rlimit 150" - -let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - (forall j. - j < v i ==> - (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\ - v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329) - )) /\ - (forall j. - j >= v i ==> - (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\ - Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j)))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - let vi:i16 = - barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (barrett_reduce_element (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) <: i16) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - vi - } <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert (Spec.Utils.is_i16b 3328 vi); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)) - in - vec) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec - -#pop-options + v let bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. j < v i ==> Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j &. c) - ) /\ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j) - ) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements (Spec.Utils.map_array (fun x -> x &. c) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == - (let x = Seq.index v__vec0.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - if - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s - <: - bool + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) >=. + 0s + <: + bool) && + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <. 4096s + <: + bool)) + in + () + in + if (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s then { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s <: i16) - <: - t_Array i16 (sz 16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - else vec) + else v) in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements) - in - vec - -#push-options "--z3rlimit 150" + v let montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - (let vecj = Seq.index vec.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\ - v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - (montgomery_multiply_fe_by_fer (vec + (montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) @@ -399,125 +209,93 @@ let montgomery_multiply_by_constant <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -#pop-options - -let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! - v_SHIFT_BY - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! v_SHIFT_BY + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti index 92516558b..860b97328 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti @@ -1,22 +1,30 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ let v_BARRETT_MULTIPLIER: i32 = 20159l +let v_BARRETT_SHIFT: i32 = 26l + +let v_BARRETT_R: i32 = 1l < let result:u32 = result in - v result == v value % pow2 (v n)) + result <. + (Core.Num.impl__u32__pow 2ul + (Core.Convert.f_into #u8 #u32 #FStar.Tactics.Typeclasses.solve n <: u32) + <: + u32)) /// Signed Barrett Reduction /// Given an input `value`, `barrett_reduce` outputs a representative `result` @@ -24,142 +32,102 @@ val get_n_least_significant_bits (n: u8) (value: u32) /// - result ≡ value (mod FIELD_MODULUS) /// - the absolute value of `result` is bound as follows: /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. val barrett_reduce_element (value: i16) : Prims.Pure i16 - (requires Spec.Utils.is_i16b 28296 value) + (requires + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) >. + (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i32) && + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) <. v_BARRETT_R + ) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == v value % 3329) + result >. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) && + result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /// Signed Montgomery Reduction /// Given an input `value`, `montgomery_reduce` outputs a representative `o` /// such that: /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. val montgomery_reduce_element (value: i32) : Prims.Pure i16 - (requires Spec.Utils.is_i32b (3328 * pow2 16) value) + (requires + value >=. + ((Core.Ops.Arith.Neg.neg (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + <: + i32) *! + v_MONTGOMERY_R + <: + i32) && + value <=. + ((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) *! v_MONTGOMERY_R + <: + i32)) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b (3328 + 1665) result /\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\ - v result % 3329 == (v value * 169) % 3329) + result >=. + ((Core.Ops.Arith.Neg.neg (3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) + <: + i16) /! + 2s + <: + i16) && + result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16)) -/// If `fe` is some field element \'x\' of the Kyber field and `fer` is congruent to +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to /// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to /// `x · y`, as follows: /// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. val montgomery_multiply_fe_by_fer (fe fer: i16) - : Prims.Pure i16 - (requires Spec.Utils.is_i16b 1664 fer) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == (v fe * v fer * 169) % 3329) + : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) -val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array 28296 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329)) - ) + Prims.l_True + (fun _ -> Prims.l_True) val bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector Prims.l_True - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements)) + (fun _ -> Prims.l_True) -/// Note: This function is not secret independent -/// Only use with public values. -val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 c) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) % 3329 == - (v (Seq.index vec.f_elements i) * v c * 169) % 3329))) - -val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) + Prims.l_True + (fun _ -> Prims.l_True) + +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)) + Prims.l_True + (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index aa963a309..208427e8b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -75,127 +75,73 @@ let compress let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> + (fun a temp_1_ -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ - v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) + let _:usize = temp_1_ in + true) a (fun a i -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - u16) - <: - i16) - } + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ - v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) - in - a) - in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - v (a.f_elements.[ sz i ] <: i16) >= 0 /\ - v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in a #pop-options -#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" - -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) - -let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - (cast (a.f_elements.[ sz i ]) <: u16) <. - (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) - a - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - let _:Prims.unit = - compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (cast (compress_message_coefficient (cast (a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) - <: - u8) - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) - in - a) - in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - a - -#pop-options + v #push-options "--z3rlimit 300 --ext context_pruning" diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index cdba6253e..e697451d4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -62,17 +62,10 @@ val compress v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) -val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall (i: nat). - i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall (i: nat). - i < 16 ==> - v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) + Prims.l_True + (fun _ -> Prims.l_True) val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst index 06bc6c676..99ab0e5b0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst @@ -1,289 +1,199 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let a_minus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) in - let a_plus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) +! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - in - let _:Prims.unit = - assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) - in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element a_plus_b in - let o1:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta - in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - v a_plus_b % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v a_minus_b * v zeta * 169) % 3329; - ( == ) { () } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - o0 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i16) + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - o1 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1) - in - vec - -#push-options "--z3rlimit 200" + v let inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 2) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 3) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 4) (sz 6) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 5) (sz 7) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 8) (sz 10) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 9) (sz 11) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 12) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 13) (sz 15) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 2)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements i)) - in - vec - -#pop-options - -#push-options "--z3rlimit 100" + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 2) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 3) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 4) (sz 6) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 5) (sz 7) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 8) (sz 10) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 9) (sz 11) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 12) (sz 14) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 13) (sz 15) + in + v let inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 0) (sz 8) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 250 --split_queries always --query_stats --ext context_prune" + v let ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let ai:i16 = a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let bi:i16 = b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let aj:i16 = - a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let bj:i16 = - b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 ai); - assert (Spec.Utils.is_i16b 3328 bi); - assert (Spec.Utils.is_i16b 3328 aj); - assert (Spec.Utils.is_i16b 3328 bj); - assert_norm (3328 * 3328 < pow2 31) - in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bi in - let ai_bi:i32 = (cast (ai <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bj in - let aj_bj___:i32 = (cast (aj <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = assert_norm (3328 * 3328 <= 3328 * pow2 15) in - let aj_bj:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element aj_bj___ in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 1664 aj_bj zeta in - let aj_bj_zeta:i32 = (cast (aj_bj <: i16) <: i32) *! (cast (zeta <: i16) <: i32) in - let ai_bi_aj_bj:i32 = ai_bi +! aj_bj_zeta in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 1664) ai_bi_aj_bj) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15) in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bi_aj_bj in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - (v ai_bi_aj_bj * 169) % 3329; - ( == ) { assert (v ai_bi_aj_bj == v ai_bi + v aj_bj_zeta) } - ((v ai_bi + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v ai_bi == v ai * v bi) } - (((v ai * v bi) + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v aj_bj_zeta == v aj_bj * v zeta) } - (((v ai * v bi) + (v aj_bj * v zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v ai * v bi) + (v aj_bj * v zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - ((((v ai * v bi) + ((v aj_bj * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj_bj % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj % 3329 == (v aj_bj___ * 169) % 3329) } - ((((v ai * v bi) + ((((v aj_bj___ * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj___ == v aj * v bj) } - ((((v ai * v bi) + ((((v aj * v bj * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj * v bj * 169) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj * v bj * 169 * v zeta) % 3329))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj * v bj * 169 * v zeta) 3329 } - ((((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) - 169 - 3329 } - (((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) * 169) % 3329; - } + let o0:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) +! + ((cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i32) + <: + i32) + <: + i16) + <: + i32) *! + (cast (zeta <: i16) <: i32) + <: + i32) + <: + i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bj in - let ai_bj:i32 = (cast (ai <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bi in - let aj_bi:i32 = (cast (aj <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let ai_bj_aj_bi:i32 = ai_bj +! aj_bi in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 3328) ai_bj_aj_bi) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15) in - let o1:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bj_aj_bi in - let _:Prims.unit = - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v ai_bj_aj_bi * 169) % 3329; - ( == ) { assert (v ai_bj_aj_bi == v ai_bj + v aj_bi) } - ((v ai_bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - } + let o1:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) + <: + i32) +! + ((cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) + <: + i32) in - let v__out0:t_Array i16 (sz 16) = out.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { out with @@ -291,7 +201,7 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - (sz 2 *! i <: usize) + i o0 } <: @@ -304,264 +214,170 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - ((sz 2 *! i <: usize) +! sz 1 <: usize) + j o1 } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> Seq.index out.f_elements k == Seq.index v__out0 k) - in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in out -#pop-options - let ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let t:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) zeta in - let _:Prims.unit = - assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) - in - let a_minus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t - in - let _:Prims.unit = - calc ( == ) { - v a_minus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let a_plus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t - in - let _:Prims.unit = - calc ( == ) { - v a_plus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - a_minus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - a_plus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t) - in - vec - -#push-options "--z3rlimit 100" + v let ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 2) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 2) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 3) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 3) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 4) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 4) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 5) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 5) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 8) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 8) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 9) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 9) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 12) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 12) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 13) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 13) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options + v -#push-options "--z3rlimit 100" - -let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 0) (sz 8) +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let nzeta0:i16 = Core.Ops.Arith.Neg.neg zeta0 in - let nzeta1:i16 = Core.Ops.Arith.Neg.neg zeta1 in - let nzeta2:i16 = Core.Ops.Arith.Neg.neg zeta2 in - let nzeta3:i16 = Core.Ops.Arith.Neg.neg zeta3 in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta0) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta1) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta2) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta3) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.zero () in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta0 (sz 0) out + ntt_multiply_binomials lhs rhs zeta0 (sz 0) (sz 1) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta0 (sz 1) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta0 <: i16) (sz 2) (sz 3) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta1 (sz 2) out + ntt_multiply_binomials lhs rhs zeta1 (sz 4) (sz 5) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta1 (sz 3) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta1 <: i16) (sz 6) (sz 7) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta2 (sz 4) out + ntt_multiply_binomials lhs rhs zeta2 (sz 8) (sz 9) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta2 (sz 5) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta2 <: i16) (sz 10) (sz 11) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta3 (sz 6) out + ntt_multiply_binomials lhs rhs zeta3 (sz 12) (sz 13) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta3 (sz 7) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta3 <: i16) (sz 14) (sz 15) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#pop-options + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti index 1b1a575e4..3c826a279 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti @@ -1,65 +1,36 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -[@@ "opaque_to_smt"] - val inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - Spec.Utils.is_i16b_array (4 * 3328) vec_future.f_elements /\ - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v i)) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v j)) /\ - Spec.Utils.inv_ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) /// Compute the product of two Kyber binomials with respect to the /// modulus `X² - zeta`. @@ -73,127 +44,49 @@ val inv_ntt_layer_3_step /// c₁ ← a₀·b₁ + a₁·b₀ /// return c₀, c₁ /// ``` -/// We say \"almost\" because the coefficients output by this function are in +/// We say "almost" because the coefficients output by this function are in /// the Montgomery domain (unlike in the specification). /// The NIST FIPS 203 standard can be found at /// . val ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 8 /\ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 a.f_elements /\ - Spec.Utils.is_i16b_array 3328 b.f_elements /\ Spec.Utils.is_i16b_array 3328 out.f_elements) - (ensures - fun out_future -> - let out_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out_future in - Spec.Utils.is_i16b_array 3328 out_future.f_elements /\ - (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> - Seq.index out_future.f_elements k == Seq.index out.f_elements k) /\ - (let ai = Seq.index a.f_elements (2 * v i) in - let aj = Seq.index a.f_elements (2 * v i + 1) in - let bi = Seq.index b.f_elements (2 * v i) in - let bj = Seq.index b.f_elements (2 * v i + 1) in - let oi = Seq.index out_future.f_elements (2 * v i) in - let oj = Seq.index out_future.f_elements (2 * v i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) val ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ]) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - (forall b. - (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==> - (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\ - Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\ - Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 lhs.f_elements /\ Spec.Utils.is_i16b_array 3328 rhs.f_elements - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (let zetas = - Seq.seq_of_list [ - v zeta0; - - v zeta0; - v zeta1; - - v zeta1; - v zeta2; - - v zeta2; - v zeta3; - - v zeta3 - ] - in - (forall (i: nat). - i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == - (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst index b9c0febd3..aec49a64f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst @@ -1,10 +1,8 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let sampled:usize = sz 0 in let result, sampled:(t_Slice i16 & usize) = @@ -42,5 +40,3 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) = in let hax_temp_output:usize = sampled in result, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti index cbbc36deb..fc5f15276 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rej_sample (a: t_Slice u8) (result: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 result <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let result_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length result_future == Seq.length result /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti deleted file mode 100644 index 4ed69770d..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti +++ /dev/null @@ -1,100 +0,0 @@ -module Libcrux_ml_kem.Vector.Portable.Serialize.Edited -// #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -// open Core -// open FStar.Mul - -// val deserialize_10_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_11_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_12_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) - -// val deserialize_4_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_5_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val serialize_10_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8) -// (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 4) -// (ensures -// fun tuple -> -// let tuple:(u8 & u8 & u8 & u8 & u8) = tuple in -// BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 4)) 10 (MkSeq.create5 tuple) 8) - -// val serialize_11_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) -// (requires Seq.length v == 8 /\ (forall i. Rust_primitives.bounded (Seq.index v i) 11)) -// (ensures -// fun tuple -> -// let tuple:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = tuple in -// BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 8)) 11 (MkSeq.create11 tuple) 8) - -// val serialize_12_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_4_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_5_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -// val deserialize_1_ (v: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_10_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_11_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_12_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_4_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_5_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index 37ca063e4..9a88facf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -244,65 +244,159 @@ let serialize_5_int (v: t_Slice i16) = in r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8) -let deserialize_11_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } +let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in + let result:t_Array u8 (sz 2) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 8) + (fun result temp_1_ -> + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + ((result.[ sz 0 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) < + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + ((result.[ sz 1 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in - let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - result0; result1; result2; result3; result4; result5; result6; result7; result8; result9; - result10; result11; result12; result13; result14; result15 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_1_bounded_lemma inputs = - admit() - -let deserialize_10_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + let r6_8_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 6 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 20 } + let r9_11_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 6; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_10_ v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_10_bounded_lemma inputs = - admit() - -let deserialize_12_ (bytes: t_Slice u8) = - let v0_1_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } + let r12_14_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 10 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v2_3_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 6 } + let r15_17_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 12 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v4_5_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 6; Core.Ops.Range.f_end = sz 9 } + let r18_20_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 12; + Core.Ops.Range.f_end = sz 14 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v6_7_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 12 } + let r21_23_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 14; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_9_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 15 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_2_._1 in - let v10_11_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 15; Core.Ops.Range.f_end = sz 18 } + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_2_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_2_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r3_5_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r3_5_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r3_5_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r6_8_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r6_8_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r6_8_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r9_11_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r9_11_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r9_11_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r12_14_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r12_14_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r12_14_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r15_17_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r15_17_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r15_17_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r18_20_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r18_20_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 20) r18_20_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 21) r21_23_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 22) r21_23_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 23) r21_23_._3 + in + result + +let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result0_3_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v12_13_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 18; Core.Ops.Range.f_end = sz 21 } + let result4_7_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v14_15_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 21; Core.Ops.Range.f_end = sz 24 } + let result:t_Array u8 (sz 8) = Rust_primitives.Hax.repeat 0uy (sz 8) in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) result0_3_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) result0_3_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) result0_3_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) result0_3_._4 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) result4_7_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) result4_7_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) result4_7_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) result4_7_._4 + in + result + +let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_4_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_1_._1; v0_1_._2; v2_3_._1; v2_3_._2; v4_5_._1; v4_5_._2; v6_7_._1; v6_7_._2; v8_9_._1; - v8_9_._2; v10_11_._1; v10_11_._2; v12_13_._1; v12_13_._2; v14_15_._1; v14_15_._2 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_12_ v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_12_bounded_lemma inputs = - admit() - -let deserialize_4_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + let r5_9_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_4_._1 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_4_ v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_4_bounded_lemma inputs = - admit() + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_4_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_4_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_4_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_4_._5 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r5_9_._1 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r5_9_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r5_9_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r5_9_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r5_9_._5 + in + result -let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let result0:u8 = - (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) - <: - u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 0 ] <: u8) >>! i <: u8) &. 1uy <: u8) <: i16) <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) <: u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 1 ] <: u8) >>! (i -! sz 8 <: usize) <: u8) &. 1uy <: u8) <: i16) <: - u8) + t_Array i16 (sz 16) + } <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) <: u8) < Prims.l_True) val deserialize_11_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 11) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_12_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 3) - (fun _ -> Prims.l_True) + : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) val deserialize_4_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 4) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_5_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 5) + Prims.l_True (fun _ -> Prims.l_True) val serialize_10_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 4) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_int (v: t_Slice i16) : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) val serialize_12_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 2) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_4_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_5_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 22) - (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 10) - (fun _ -> Prims.l_True) +val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_1_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 v =. sz 2) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) - -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) - val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 20) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) - -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 24) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) - -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) - val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) - -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) - -val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) - -val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) - -val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst index 948ac409c..962c322cf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti index 7f42fe833..4c354edf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti @@ -1,30 +1,14 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul type t_PortableVector = { f_elements:t_Array i16 (sz 16) } val from_i16_array (array: t_Slice i16) - : Prims.Pure t_PortableVector - (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16) - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == array) + : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (x: t_PortableVector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == x.f_elements) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) -val zero: Prims.unit - -> Prims.Pure t_PortableVector - Prims.l_True - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == Seq.create 16 0s) +val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst deleted file mode 100644 index 0ca12f7ff..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst +++ /dev/null @@ -1,59 +0,0 @@ -module Libcrux_ml_kem.Vector.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in - () - -let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a - -let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a - -let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a - -let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a - -let deserialize_1_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a - -let deserialize_10_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a - -let deserialize_12_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a - -let deserialize_4_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a - -let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a - -let serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a - -let serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a - -let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 10098ed48..164f28caa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,135 +7,24 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () -val deserialize_11_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) - (fun _ -> Prims.l_True) - -val deserialize_5_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10) - (fun _ -> Prims.l_True) - -val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr -Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_repr_post - = - (fun - (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (out: t_Array i16 (sz 16)) - -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x - } - -val deserialize_1_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)) - -val deserialize_10_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)) - -val deserialize_12_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)) - -val deserialize_4_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 8) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)) - -val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) - (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 2) = out in - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out) - -val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) - (requires Spec.MLKEM.serialize_pre 10 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 20) = out in - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out) - -val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) - (requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 24) = out in - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out) - -val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) - (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 8) = out in - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out) - -#push-options "--z3rlimit 400 --split_queries always" - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == array); + true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array); @@ -148,7 +37,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> @@ -159,21 +48,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add = (fun @@ -187,21 +70,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub = (fun @@ -211,22 +88,19 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs); f_multiply_by_constant_pre = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); f_multiply_by_constant_post = (fun - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)); + true); f_multiply_by_constant = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant vec c); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant v c); f_bitwise_and_with_constant_pre = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); @@ -237,15 +111,14 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (c: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr v)); + true); f_bitwise_and_with_constant = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c); f_shift_right_pre = - (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l); + (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_shift_right_post = (fun @@ -253,32 +126,28 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr v)); + true); f_shift_right = (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v); f_cond_subtract_3329_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_cond_subtract_3329_post = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr v)); + true); f_cond_subtract_3329_ = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v); f_barrett_reduce_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 28296 (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_barrett_reduce_post = (fun @@ -292,8 +161,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v); f_montgomery_multiply_by_constant_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> - Spec.Utils.is_i16b 1664 r); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> true); f_montgomery_multiply_by_constant_post = (fun @@ -308,57 +176,47 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); f_compress_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). - i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_compress_1_post = (fun - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); + true); f_compress_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> - v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329)); + true); f_compress_post = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) - ); + true); f_compress = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a); + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); f_decompress_ciphertext_coefficient_pre = (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + true); f_decompress_ciphertext_coefficient_post = (fun @@ -384,9 +242,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr a)); + true); f_ntt_layer_1_step_post = (fun @@ -397,7 +253,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out)); + true); f_ntt_layer_1_step = (fun @@ -415,8 +271,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr a)); + true); f_ntt_layer_2_step_post = (fun @@ -425,7 +280,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out)); + true); f_ntt_layer_2_step = (fun @@ -436,8 +291,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1); f_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_ntt_layer_3_step_post = (fun @@ -445,7 +299,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out)); + true); f_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -459,9 +313,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr a)); + true); f_inv_ntt_layer_1_step_post = (fun @@ -472,7 +324,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_1_step = (fun @@ -490,8 +342,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + true); f_inv_ntt_layer_2_step_post = (fun @@ -500,7 +351,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_2_step = (fun @@ -511,8 +362,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1); f_inv_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_inv_ntt_layer_3_step_post = (fun @@ -520,7 +370,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -535,10 +385,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs)); + true); f_ntt_multiply_post = (fun @@ -550,7 +397,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_ntt_multiply = (fun @@ -564,46 +411,46 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3); f_serialize_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_1_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 2)) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out); + true); f_serialize_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_1_ a); - f_deserialize_1_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 2); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a); + f_deserialize_1_pre = (fun (a: t_Slice u8) -> true); f_deserialize_1_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)); - f_deserialize_1_ = (fun (a: t_Slice u8) -> deserialize_1_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_1_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); f_serialize_4_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_4_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 8)) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out); + true); f_serialize_4_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_4_ a); - f_deserialize_4_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 8); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a); + f_deserialize_4_pre = (fun (a: t_Slice u8) -> true); f_deserialize_4_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)); - f_deserialize_4_ = (fun (a: t_Slice u8) -> deserialize_4_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_4_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); f_serialize_5_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -616,33 +463,36 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_5_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_5_ a); - f_deserialize_5_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 10); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a); + f_deserialize_5_pre = (fun (a: t_Slice u8) -> true); f_deserialize_5_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_5_ = (fun (a: t_Slice u8) -> deserialize_5_ a); + f_deserialize_5_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a); f_serialize_10_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_10_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 20)) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out); + true); f_serialize_10_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_10_ a); - f_deserialize_10_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 20); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a); + f_deserialize_10_pre = (fun (a: t_Slice u8) -> true); f_deserialize_10_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)); - f_deserialize_10_ = (fun (a: t_Slice u8) -> deserialize_10_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_10_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); f_serialize_11_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -655,42 +505,40 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_11_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_11_ a); - f_deserialize_11_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 22); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a); + f_deserialize_11_pre = (fun (a: t_Slice u8) -> true); f_deserialize_11_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_11_ = (fun (a: t_Slice u8) -> deserialize_11_ a); + f_deserialize_11_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a); f_serialize_12_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_12_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 24)) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out); + true); f_serialize_12_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_12_ a); - f_deserialize_12_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 24); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a); + f_deserialize_12_pre = (fun (a: t_Slice u8) -> true); f_deserialize_12_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)); - f_deserialize_12_ = (fun (a: t_Slice u8) -> deserialize_12_ a); - f_rej_sample_pre + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_12_ = - (fun (a: t_Slice u8) (out: t_Slice i16) -> - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16); + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); + f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true); f_rej_sample_post = - (fun (a: t_Slice u8) (out: t_Slice i16) (out_future, result: (t_Slice i16 & usize)) -> - Seq.length out_future == Seq.length out /\ v result <= 16); + (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true); f_rej_sample = fun (a: t_Slice u8) (out: t_Slice i16) -> @@ -701,5 +549,3 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = let hax_temp_output:usize = out1 in out, hax_temp_output <: (t_Slice i16 & usize) } - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti index f1aa1ee53..ce3906fea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Rej_sample_table -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index cbc90050c..5f3adf035 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index cb32321d0..8c907c14d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -1,323 +1,142 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -class t_Repr (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - f_repr_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_repr_post:v_Self -> t_Array i16 (sz 16) -> Type0; - f_repr:x0: v_Self - -> Prims.Pure (t_Array i16 (sz 16)) (f_repr_pre x0) (fun result -> f_repr_post x0 result) -} - class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_8706949974463268012:t_Repr v_Self; - f_ZERO_pre:x: Prims.unit - -> pred: - Type0 - { (let _:Prims.unit = x in - true) ==> - pred }; - f_ZERO_post:x: Prims.unit -> result: v_Self - -> pred: - Type0 - { pred ==> - (let _:Prims.unit = x in - f_repr result == Seq.create 16 0s) }; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); - f_from_i16_array_pre:array: t_Slice i16 - -> pred: Type0{(Core.Slice.impl__len #i16 array <: usize) =. sz 16 ==> pred}; - f_from_i16_array_post:array: t_Slice i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == array}; + f_from_i16_array_pre:t_Slice i16 -> Type0; + f_from_i16_array_post:t_Slice i16 -> v_Self -> Type0; f_from_i16_array:x0: t_Slice i16 -> Prims.Pure v_Self (f_from_i16_array_pre x0) (fun result -> f_from_i16_array_post x0 result); - f_to_i16_array_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_to_i16_array_post:x: v_Self -> result: t_Array i16 (sz 16) - -> pred: Type0{pred ==> f_repr x == result}; + f_to_i16_array_pre:v_Self -> Type0; + f_to_i16_array_post:v_Self -> t_Array i16 (sz 16) -> Type0; f_to_i16_array:x0: v_Self -> Prims.Pure (t_Array i16 (sz 16)) (f_to_i16_array_pre x0) (fun result -> f_to_i16_array_post x0 result); - f_add_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_add_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) }; + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; f_add:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_sub_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_sub_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) }; + f_sub_pre:v_Self -> v_Self -> Type0; + f_sub_post:v_Self -> v_Self -> v_Self -> Type0; f_sub:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_sub_pre x0 x1) (fun result -> f_sub_post x0 x1 result); - f_multiply_by_constant_pre:vec: v_Self -> c: i16 - -> pred: - Type0 - { (forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr vec) i) * v c)) ==> - pred }; - f_multiply_by_constant_post:vec: v_Self -> c: i16 -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> (v (Seq.index (f_repr result) i) == v (Seq.index (f_repr vec) i) * v c)) }; + f_multiply_by_constant_pre:v_Self -> i16 -> Type0; + f_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_multiply_by_constant_pre x0 x1) (fun result -> f_multiply_by_constant_post x0 x1 result); - f_bitwise_and_with_constant_pre:v: v_Self -> c: i16 -> pred: Type0{true ==> pred}; - f_bitwise_and_with_constant_post:v: v_Self -> c: i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == Spec.Utils.map_array (fun x -> x &. c) (f_repr v)}; + f_bitwise_and_with_constant_pre:v_Self -> i16 -> Type0; + f_bitwise_and_with_constant_post:v_Self -> i16 -> v_Self -> Type0; f_bitwise_and_with_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_bitwise_and_with_constant_pre x0 x1) (fun result -> f_bitwise_and_with_constant_post x0 x1 result); - f_shift_right_pre:v_SHIFT_BY: i32 -> v: v_Self - -> pred: Type0{v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l ==> pred}; - f_shift_right_post:v_SHIFT_BY: i32 -> v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - f_repr result == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (f_repr v) }; + f_shift_right_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_right_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; f_shift_right:v_SHIFT_BY: i32 -> x0: v_Self -> Prims.Pure v_Self (f_shift_right_pre v_SHIFT_BY x0) (fun result -> f_shift_right_post v_SHIFT_BY x0 result); - f_cond_subtract_3329_pre:v: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr v) ==> pred}; - f_cond_subtract_3329_post:v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - f_repr result == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr v) }; + f_cond_subtract_3329_pre:v_Self -> Type0; + f_cond_subtract_3329_post:v_Self -> v_Self -> Type0; f_cond_subtract_3329_:x0: v_Self -> Prims.Pure v_Self (f_cond_subtract_3329_pre x0) (fun result -> f_cond_subtract_3329_post x0 result); - f_barrett_reduce_pre:vector: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array 28296 (f_repr vector) ==> pred}; + f_barrett_reduce_pre:v_Self -> Type0; f_barrett_reduce_post:v_Self -> v_Self -> Type0; f_barrett_reduce:x0: v_Self -> Prims.Pure v_Self (f_barrett_reduce_pre x0) (fun result -> f_barrett_reduce_post x0 result); - f_montgomery_multiply_by_constant_pre:v: v_Self -> c: i16 - -> pred: Type0{Spec.Utils.is_i16b 1664 c ==> pred}; + f_montgomery_multiply_by_constant_pre:v_Self -> i16 -> Type0; f_montgomery_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_montgomery_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_montgomery_multiply_by_constant_pre x0 x1) (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_compress_1_pre:a: v_Self - -> pred: - Type0 - { (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_1_post:a: v_Self -> result: v_Self - -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)}; + f_compress_1_pre:v_Self -> Type0; + f_compress_1_post:v_Self -> v_Self -> Type0; f_compress_1_:x0: v_Self -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result); - f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self - -> pred: - Type0 - { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS)) - }; + f_compress_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; + f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_compress_pre v_COEFFICIENT_BITS x0) (fun result -> f_compress_post v_COEFFICIENT_BITS x0 result); - f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v: v_Self - -> pred: - Type0 - { v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l ==> - pred }; + f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; f_decompress_ciphertext_coefficient_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_decompress_ciphertext_coefficient:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_decompress_ciphertext_coefficient_pre v_COEFFICIENT_BITS x0) (fun result -> f_decompress_ciphertext_coefficient_post v_COEFFICIENT_BITS x0 result); - f_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 6 * 3328) (f_repr out)}; + f_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr out)}; + f_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_ntt_layer_2_step_post x0 x1 x2 result); - f_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr out)}; + f_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_ntt_layer_3_step_pre x0 x1) (fun result -> f_ntt_layer_3_step_post x0 x1 result); - f_inv_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr a) ==> - pred }; - f_inv_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_inv_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_inv_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_inv_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (f_repr a) ==> - pred }; - f_inv_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_inv_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_inv_ntt_layer_2_step_post x0 x1 x2 result); - f_inv_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0{Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (f_repr a) ==> pred}; - f_inv_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_inv_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_inv_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_3_step_pre x0 x1) (fun result -> f_inv_ntt_layer_3_step_post x0 x1 result); - f_ntt_multiply_pre: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (f_repr lhs) /\ Spec.Utils.is_i16b_array 3328 (f_repr rhs) ==> - pred }; - f_ntt_multiply_post: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_ntt_multiply_pre:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_multiply_post:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_multiply:x0: v_Self -> x1: v_Self -> x2: i16 -> x3: i16 -> x4: i16 -> x5: i16 -> Prims.Pure v_Self (f_ntt_multiply_pre x0 x1 x2 x3 x4 x5) (fun result -> f_ntt_multiply_post x0 x1 x2 x3 x4 x5 result); - f_serialize_1_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 1 (f_repr a) ==> pred}; - f_serialize_1_post:a: v_Self -> result: t_Array u8 (sz 2) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 1 (f_repr a) ==> Spec.MLKEM.serialize_post 1 (f_repr a) result }; + f_serialize_1_pre:v_Self -> Type0; + f_serialize_1_post:v_Self -> t_Array u8 (sz 2) -> Type0; f_serialize_1_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 2)) (f_serialize_1_pre x0) (fun result -> f_serialize_1_post x0 result); - f_deserialize_1_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 2 ==> pred}; - f_deserialize_1_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (f_repr result)}; + f_deserialize_1_pre:t_Slice u8 -> Type0; + f_deserialize_1_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_1_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_1_pre x0) (fun result -> f_deserialize_1_post x0 result); - f_serialize_4_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 4 (f_repr a) ==> pred}; - f_serialize_4_post:a: v_Self -> result: t_Array u8 (sz 8) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 4 (f_repr a) ==> Spec.MLKEM.serialize_post 4 (f_repr a) result }; + f_serialize_4_pre:v_Self -> Type0; + f_serialize_4_post:v_Self -> t_Array u8 (sz 8) -> Type0; f_serialize_4_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 8)) (f_serialize_4_pre x0) (fun result -> f_serialize_4_post x0 result); - f_deserialize_4_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 8 ==> pred}; - f_deserialize_4_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (f_repr result)}; + f_deserialize_4_pre:t_Slice u8 -> Type0; + f_deserialize_4_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_4_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_4_pre x0) (fun result -> f_deserialize_4_post x0 result); f_serialize_5_pre:v_Self -> Type0; @@ -326,28 +145,18 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 10)) (f_serialize_5_pre x0) (fun result -> f_serialize_5_post x0 result); - f_deserialize_5_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 10 ==> pred}; + f_deserialize_5_pre:t_Slice u8 -> Type0; f_deserialize_5_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_5_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_5_pre x0) (fun result -> f_deserialize_5_post x0 result); - f_serialize_10_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 10 (f_repr a) ==> pred}; - f_serialize_10_post:a: v_Self -> result: t_Array u8 (sz 20) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 10 (f_repr a) ==> Spec.MLKEM.serialize_post 10 (f_repr a) result - }; + f_serialize_10_pre:v_Self -> Type0; + f_serialize_10_post:v_Self -> t_Array u8 (sz 20) -> Type0; f_serialize_10_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 20)) (f_serialize_10_pre x0) (fun result -> f_serialize_10_post x0 result); - f_deserialize_10_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 20 ==> pred}; - f_deserialize_10_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (f_repr result)}; + f_deserialize_10_pre:t_Slice u8 -> Type0; + f_deserialize_10_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_10_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_10_pre x0) (fun result -> f_deserialize_10_post x0 result); f_serialize_11_pre:v_Self -> Type0; @@ -356,52 +165,28 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 22)) (f_serialize_11_pre x0) (fun result -> f_serialize_11_post x0 result); - f_deserialize_11_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 22 ==> pred}; + f_deserialize_11_pre:t_Slice u8 -> Type0; f_deserialize_11_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_11_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_11_pre x0) (fun result -> f_deserialize_11_post x0 result); - f_serialize_12_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 12 (f_repr a) ==> pred}; - f_serialize_12_post:a: v_Self -> result: t_Array u8 (sz 24) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 12 (f_repr a) ==> Spec.MLKEM.serialize_post 12 (f_repr a) result - }; + f_serialize_12_pre:v_Self -> Type0; + f_serialize_12_post:v_Self -> t_Array u8 (sz 24) -> Type0; f_serialize_12_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 24)) (f_serialize_12_pre x0) (fun result -> f_serialize_12_post x0 result); - f_deserialize_12_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 24 ==> pred}; - f_deserialize_12_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (f_repr result)}; + f_deserialize_12_pre:t_Slice u8 -> Type0; + f_deserialize_12_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_12_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_12_pre x0) (fun result -> f_deserialize_12_post x0 result); - f_rej_sample_pre:a: t_Slice u8 -> out: t_Slice i16 - -> pred: - Type0 - { (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16 ==> - pred }; - f_rej_sample_post:a: t_Slice u8 -> out: t_Slice i16 -> x: (t_Slice i16 & usize) - -> pred: - Type0 - { pred ==> - (let out_future, result:(t_Slice i16 & usize) = x in - Seq.length out_future == Seq.length out /\ v result <= 16) }; + f_rej_sample_pre:t_Slice u8 -> t_Slice i16 -> Type0; + f_rej_sample_post:t_Slice u8 -> t_Slice i16 -> (t_Slice i16 & usize) -> Type0; f_rej_sample:x0: t_Slice u8 -> x1: t_Slice i16 -> Prims.Pure (t_Slice i16 & usize) (f_rej_sample_pre x0 x1) (fun result -> f_rej_sample_post x0 x1 result) } -let v_BARRETT_SHIFT: i32 = 26l - -let v_BARRETT_R: i32 = 1l </bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + +VERIFIED = +PANIC_FREE = Libcrux_ml_kem.Constant_time_ops.fst \ + Libcrux_ml_kem.Constant_time_ops.fsti \ + Libcrux_ml_kem.Constants.fsti \ + Libcrux_ml_kem.Hash_functions.Avx2.fsti \ + Libcrux_ml_kem.Hash_functions.fsti \ + Libcrux_ml_kem.Hash_functions.Neon.fsti \ + Libcrux_ml_kem.Hash_functions.Portable.fsti \ + Libcrux_ml_kem.Ind_cca.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti \ + Libcrux_ml_kem.Ind_cca.Multiplexing.fst \ + Libcrux_ml_kem.Ind_cca.Multiplexing.fsti \ + Libcrux_ml_kem.Ind_cpa.fsti \ + Libcrux_ml_kem.Ind_cpa.Unpacked.fsti \ + Libcrux_ml_kem.Invert_ntt.fsti \ + Libcrux_ml_kem.Matrix.fsti \ + Libcrux_ml_kem.Mlkem512.Avx2.fst \ + Libcrux_ml_kem.Mlkem512.Avx2.fsti \ + Libcrux_ml_kem.Mlkem512.fst \ + Libcrux_ml_kem.Mlkem512.fsti \ + Libcrux_ml_kem.Mlkem512.Neon.fst \ + Libcrux_ml_kem.Mlkem512.Neon.fsti \ + Libcrux_ml_kem.Mlkem512.Portable.fst \ + Libcrux_ml_kem.Mlkem512.Portable.fsti \ + Libcrux_ml_kem.Mlkem768.Avx2.fst \ + Libcrux_ml_kem.Mlkem768.Avx2.fsti \ + Libcrux_ml_kem.Mlkem768.fst \ + Libcrux_ml_kem.Mlkem768.fsti \ + Libcrux_ml_kem.Mlkem768.Neon.fst \ + Libcrux_ml_kem.Mlkem768.Neon.fsti \ + Libcrux_ml_kem.Mlkem768.Portable.fst \ + Libcrux_ml_kem.Mlkem768.Portable.fsti \ + Libcrux_ml_kem.Mlkem1024.Avx2.fst \ + Libcrux_ml_kem.Mlkem1024.Avx2.fsti \ + Libcrux_ml_kem.Mlkem1024.fst \ + Libcrux_ml_kem.Mlkem1024.fsti \ + Libcrux_ml_kem.Mlkem1024.Neon.fst \ + Libcrux_ml_kem.Mlkem1024.Neon.fsti \ + Libcrux_ml_kem.Mlkem1024.Portable.fst \ + Libcrux_ml_kem.Mlkem1024.Portable.fsti \ + Libcrux_ml_kem.Ntt.fsti \ + Libcrux_ml_kem.Polynomial.fsti \ + Libcrux_ml_kem.Sampling.fsti \ + Libcrux_ml_kem.Serialize.fsti \ + Libcrux_ml_kem.Types.fst \ + Libcrux_ml_kem.Types.fsti \ + Libcrux_ml_kem.Utils.fst \ + Libcrux_ml_kem.Utils.fsti \ + Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Avx2.Compress.fsti \ + Libcrux_ml_kem.Vector.Avx2.fsti \ + Libcrux_ml_kem.Vector.Avx2.Ntt.fsti \ + Libcrux_ml_kem.Vector.Avx2.Sampling.fsti \ + Libcrux_ml_kem.Vector.Avx2.Serialize.fsti \ + Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Neon.Compress.fsti \ + Libcrux_ml_kem.Vector.Neon.fsti \ + Libcrux_ml_kem.Vector.Neon.Ntt.fsti \ + Libcrux_ml_kem.Vector.Neon.Serialize.fsti \ + Libcrux_ml_kem.Vector.Neon.Vector_type.fsti \ + Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Portable.Compress.fsti \ + Libcrux_ml_kem.Vector.Portable.fsti \ + Libcrux_ml_kem.Vector.Portable.Ntt.fsti \ + Libcrux_ml_kem.Vector.Portable.Sampling.fsti \ + Libcrux_ml_kem.Vector.Portable.Serialize.fsti \ + Libcrux_ml_kem.Vector.Portable.Vector_type.fsti \ + Libcrux_ml_kem.Vector.Rej_sample_table.fsti \ + Libcrux_ml_kem.Vector.Traits.fsti + +UNVERIFIED = $(filter-out $(PANIC_FREE),$(wildcard *.fst)) + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +PANIC_FREE_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(PANIC_FREE))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(PANIC_FREE) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives \ + $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) \ + ../../../../sys/platform/proofs/fstar/extraction/ \ + ../../../../libcrux-intrinsics/proofs/fstar/extraction/ \ + ../../../../libcrux-sha3/proofs/fstar/extraction/ + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(PANIC_FREE_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 02ea01eca..b37bad7a1 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -11,44 +11,13 @@ use crate::constants::SHARED_SECRET_SIZE; // XXX: We have to disable this for C extraction for now. See eurydice/issues#37 /// Return 1 if `value` is not zero and 0 otherwise. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn inz(value: u8) -> u8 { - let _orig_value = value; let value = value as u16; - let result = ((!value).wrapping_add(1) >> 8) as u8; - let res = result & 1; - hax_lib::fstar!("if v $_orig_value = 0 then ( - assert($value == zero); - lognot_lemma $value; - assert((~.$value +. 1us) == zero); - assert((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) == zero); - logor_lemma $value zero; - assert(($value |. (Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) <: u16) == $value); - assert (v $result == v (($value >>! 8l))); - assert ((v $value / pow2 8) == 0); - assert ($result == 0uy); - logand_lemma 1uy $result; - assert ($res == 0uy)) - else ( - assert (v $value <> 0); - lognot_lemma $value; - assert (v (~.$value) = pow2 16 - 1 - v $value); - assert (v (~.$value) + 1 = pow2 16 - v $value); - assert (v ($value) <= pow2 8 - 1); - assert ((v (~.$value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v $value)); - assert ((v (~.$value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v $value)); - assert ((v (~.$value) + 1)/pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) >>! 8l) = pow2 8 - 1); - assert ($result = ones); - logand_lemma 1uy $result; - assert ($res = 1uy))"); - res + let result = ((value | (!value).wrapping_add(1)) >> 8) & 1; + result as u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn is_non_zero(value: u8) -> u8 { #[cfg(eurydice)] return inz(value); @@ -59,46 +28,13 @@ fn is_non_zero(value: u8) -> u8 { /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { let mut r: u8 = 0; for i in 0..lhs.len() { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= Seq.length $lhs /\\ - (if (Seq.slice $lhs 0 (v $i) = Seq.slice $rhs 0 (v $i)) then - $r == 0uy - else ~ ($r == 0uy))") }); - let nr = r | (lhs[i] ^ rhs[i]); - hax_lib::fstar!("if $r =. 0uy then ( - if (Seq.index $lhs (v $i) = Seq.index $rhs (v $i)) then ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) = zero); - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert ($nr = $r); - assert (forall j. Seq.index (Seq.slice $lhs 0 (v $i)) j == Seq.index $lhs j); - assert (forall j. Seq.index (Seq.slice $rhs 0 (v $i)) j == Seq.index $rhs j); - eq_intro (Seq.slice $lhs 0 ((v $i) + 1)) (Seq.slice $rhs 0 ((v $i) + 1)) - ) - else ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) <> zero); - logor_lemma r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr > 0); - assert (Seq.index (Seq.slice $lhs 0 ((v $i)+1)) (v $i) <> - Seq.index (Seq.slice $rhs 0 ((v $i)+1)) (v $i)); - assert (Seq.slice $lhs 0 ((v $i)+1) <> Seq.slice $rhs 0 ((v $i) + 1)) - ) - ) else ( - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr >= v $r); - assert (Seq.slice $lhs 0 (v $i) <> Seq.slice $rhs 0 (v $i)); - if (Seq.slice $lhs 0 ((v $i)+1) = Seq.slice $rhs 0 ((v $i) + 1)) then - (assert (forall j. j < (v $i) + 1 ==> Seq.index (Seq.slice $lhs 0 ((v $i)+1)) j == Seq.index (Seq.slice $rhs 0 ((v $i)+1)) j); - eq_intro (Seq.slice $lhs 0 (v $i)) (Seq.slice $rhs 0 (v $i)); - assert(False)) - )"); - r = nr; + r |= lhs[i] ^ rhs[i]; } is_non_zero(r) @@ -106,65 +42,25 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] -#[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")] +))] fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { let mask = is_non_zero(selector).wrapping_sub(1); - hax_lib::fstar!("assert (if $selector = 0uy then $mask = ones else $mask = zero); - lognot_lemma $mask; - assert (if $selector = 0uy then ~.$mask = zero else ~.$mask = ones)"); let mut out = [0u8; SHARED_SECRET_SIZE]; for i in 0..SHARED_SECRET_SIZE { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= v $SHARED_SECRET_SIZE /\\ - (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\\ - (forall j. j >= v $i ==> Seq.index $out j == 0uy)") }); - hax_lib::fstar!("assert ((${out}.[ $i ] <: u8) = 0uy)"); - let outi = (lhs[i] & mask) | (rhs[i] & !mask); - hax_lib::fstar!("if ($selector = 0uy) then ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == (${lhs}.[ $i ] <: u8)); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == zero); - logor_lemma ((${lhs}.[ $i ] <: u8) &. $mask <: u8) ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${lhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - assert ($outi = (${lhs}.[ $i ] <: u8)) - ) - else ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == zero); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${rhs}.[ $i ] <: u8) zero; - assert ((logor zero (${rhs}.[ $i ] <: u8)) == (${rhs}.[ $i ] <: u8)); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8)) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - assert ($outi = (${rhs}.[ $i ] <: u8)) - )"); - out[i] = outi; + out[i] = (lhs[i] & mask) | (rhs[i] & !mask); } - hax_lib::fstar!("if ($selector =. 0uy) then ( - eq_intro $out $lhs - ) - else ( - eq_intro $out $rhs - )"); out } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 { #[cfg(eurydice)] return compare(lhs, rhs); @@ -174,12 +70,10 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] +))] pub(crate) fn select_shared_secret_in_constant_time( lhs: &[u8], rhs: &[u8], @@ -192,14 +86,11 @@ pub(crate) fn select_shared_secret_in_constant_time( core::hint::black_box(select_ct(lhs, rhs, selector)) } -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs_c.len() == rhs_c.len() && lhs_s.len() == rhs_s.len() && lhs_s.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in - ((selector == 0uy ==> $result == $lhs_s) /\\ - (selector =!= 0uy ==> $result == $rhs_s))"))] +))] pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time( lhs_c: &[u8], rhs_c: &[u8], diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index d365818ff..3b0e5e290 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -26,25 +26,12 @@ pub(crate) const THREE_BLOCKS: usize = BLOCK_SIZE * 3; #[hax_lib::attributes] pub(crate) trait Hash { /// G aka SHA3 512 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE]; /// H aka SHA3 256 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE]; /// PRF aka SHAKE256 - #[requires(fstar!("v $LEN < pow2 32"))] - #[ensures(|result| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input")) - ] fn PRF(input: &[u8]) -> [u8; LEN]; /// PRFxN aka N SHAKE256 @@ -57,16 +44,13 @@ pub(crate) trait Hash { fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K]; /// Create a SHAKE128 state and absorb the input. - #[requires(true)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self; + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self; /// Squeeze 3 blocks out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; /// Squeeze 1 block out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; } /// A portable implementation of [`Hash`] @@ -74,7 +58,10 @@ pub(crate) mod portable { use super::*; use libcrux_sha3::portable::{ self, - incremental, + incremental::{ + shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks, + shake128_squeeze_next_block, + }, KeccakState, }; @@ -87,9 +74,6 @@ pub(crate) mod portable { shake128_state: [KeccakState; K], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -97,9 +81,6 @@ pub(crate) mod portable { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -107,10 +88,6 @@ pub(crate) mod portable { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -134,66 +111,52 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> PortableHash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> PortableHash { debug_assert!(K == 2 || K == 3 || K == 4); - let mut shake128_state = [incremental::shake128_init(); K]; + let mut shake128_state = [shake128_init(); K]; for i in 0..K { - incremental::shake128_absorb_final(&mut shake128_state[i], &input[i]); + shake128_absorb_final(&mut shake128_state[i], &input[i]); } PortableHash { shake128_state } } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut PortableHash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; THREE_BLOCKS]; K]; for i in 0..K { - incremental::shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); } out } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; for i in 0..K { - incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); } out } #[hax_lib::attributes] impl Hash for PortableHash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -211,18 +174,18 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -245,9 +208,6 @@ pub(crate) mod avx2 { shake128_state: KeccakState, } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -255,9 +215,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -265,10 +222,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -323,7 +276,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd256Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd256Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = x4::incremental::init(); @@ -352,7 +305,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd256Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -390,7 +343,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; let mut out0 = [0u8; BLOCK_SIZE]; @@ -427,30 +380,16 @@ pub(crate) mod avx2 { #[hax_lib::attributes] impl Hash for Simd256Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[hax_lib::ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -468,18 +407,18 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -499,9 +438,6 @@ pub(crate) mod neon { shake128_state: [KeccakState; 2], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -509,9 +445,6 @@ pub(crate) mod neon { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -519,10 +452,6 @@ pub(crate) mod neon { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -570,7 +499,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd128Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd128Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = [x2::incremental::init(), x2::incremental::init()]; match K as u8 { @@ -594,7 +523,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd128Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -652,7 +581,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; @@ -709,30 +638,16 @@ pub(crate) mod neon { #[hax_lib::attributes] impl Hash for Simd128Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -751,18 +666,18 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index 3d05ce368..7a8aa68cb 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -35,16 +35,6 @@ pub(crate) mod instantiations; /// Serialize the secret key. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] -#[hax_lib::ensures(|result| fstar!("$result == Seq.append $private_key ( - Seq.append $public_key ( - Seq.append (Spec.Utils.v_H $public_key) - $implicit_rejection_value))"))] fn serialize_kem_secret_key>( private_key: &[u8], public_key: &[u8], @@ -60,25 +50,6 @@ fn serialize_kem_secret_key( public_key: &[u8; PUBLIC_KEY_SIZE], ) -> bool { - let deserialized_pk = deserialize_ring_elements_reduced_out::( + let deserialized_pk = deserialize_ring_elements_reduced_out::( &public_key[..RANKED_BYTES_PER_RING_ELEMENT], ); let public_key_serialized = @@ -117,9 +85,6 @@ fn validate_public_key< /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` /// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -233,11 +198,8 @@ fn encapsulate< ) -> (MlKemCiphertext, MlKemSharedSecret) { let randomness = Scheme::entropy_preprocess::(&randomness); let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $randomness"); to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice())); - hax_lib::fstar!("assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness); - lemma_slice_append $to_hash $randomness (Spec.Utils.v_H ${public_key}.f_value); - assert ($to_hash == concat $randomness (Spec.Utils.v_H ${public_key}.f_value))"); + let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); @@ -260,6 +222,7 @@ fn encapsulate< let ciphertext = MlKemCiphertext::from(ciphertext); let shared_secret_array = Scheme::kdf::(shared_secret, &ciphertext); + (ciphertext, shared_secret_array) } @@ -308,17 +271,10 @@ pub(crate) fn decapsulate< private_key: &MlKemPrivateKey, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { - hax_lib::fstar!("assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)"); let (ind_cpa_secret_key, secret_key) = private_key.value.split_at(CPA_SECRET_KEY_SIZE); let (ind_cpa_public_key, secret_key) = secret_key.split_at(PUBLIC_KEY_SIZE); let (ind_cpa_public_key_hash, implicit_rejection_value) = secret_key.split_at(H_DIGEST_SIZE); - hax_lib::fstar!("assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE); - assert ($ind_cpa_public_key == slice ${private_key}.f_value $CPA_SECRET_KEY_SIZE ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE)); - assert ($ind_cpa_public_key_hash == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE) - ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length ${private_key}.f_value))"); let decrypted = crate::ind_cpa::decrypt::< K, CIPHERTEXT_SIZE, @@ -329,31 +285,16 @@ pub(crate) fn decapsulate< >(ind_cpa_secret_key, &ciphertext.value); let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $decrypted"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash); - hax_lib::fstar!("lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash; - assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value); - assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"); let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); - hax_lib::fstar!("assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE); - assert (length $implicit_rejection_value = $SECRET_KEY_SIZE -! $CPA_SECRET_KEY_SIZE -! $PUBLIC_KEY_SIZE -! $H_DIGEST_SIZE); - assert (length $implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)"); let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = into_padded_array(implicit_rejection_value); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref()); - hax_lib::fstar!("assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) $to_hash); - lemma_slice_append $to_hash $implicit_rejection_value ${ciphertext}.f_value"); let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash); - hax_lib::fstar!("assert ($implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) $to_hash); - assert (Seq.length $ind_cpa_public_key == v $PUBLIC_KEY_SIZE)"); let expected_ciphertext = crate::ind_cpa::encrypt::< K, CIPHERTEXT_SIZE, @@ -375,13 +316,12 @@ pub(crate) fn decapsulate< Scheme::kdf::(&implicit_rejection_shared_secret, ciphertext); let shared_secret = Scheme::kdf::(shared_secret, ciphertext); - let shared_secret = compare_ciphertexts_select_shared_secret_in_constant_time( - ciphertext.as_ref(), - &expected_ciphertext, - &shared_secret, - &implicit_rejection_shared_secret, - ); - shared_secret + compare_ciphertexts_select_shared_secret_in_constant_time( + ciphertext.as_ref(), + &expected_ciphertext, + &shared_secret, + &implicit_rejection_shared_secret, + ) } /// Types for the unpacked API. @@ -445,7 +385,7 @@ pub(crate) mod unpacked { public_key: &MlKemPublicKey, unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key.value[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.ind_cpa_public_key.t_as_ntt, ); diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs index fc2e754e2..8b9806142 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs @@ -7,19 +7,12 @@ macro_rules! instantiate { }; /// Portable generate key pair. - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -30,7 +23,7 @@ macro_rules! instantiate { CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, $vector, @@ -144,19 +137,6 @@ macro_rules! instantiate { >(public_key, randomness) } - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -166,7 +146,7 @@ macro_rules! instantiate { const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -184,7 +164,7 @@ macro_rules! instantiate { C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -242,23 +222,6 @@ macro_rules! instantiate { } /// Portable decapsulate - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs index afaa606be..9dff8843a 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs @@ -5,7 +5,7 @@ use crate::{ #[allow(unsafe_code)] /// Portable generate key pair. -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -58,7 +58,7 @@ pub(crate) fn generate_keypair< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -111,7 +111,7 @@ pub(crate) fn kyber_generate_keypair< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn validate_public_key_avx2< const K: usize, const RANKED_BYTES_PER_RING_ELEMENT: usize, @@ -141,7 +141,7 @@ pub(crate) fn validate_public_key< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn validate_private_key_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -174,7 +174,7 @@ pub(crate) fn validate_private_key< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -253,7 +253,7 @@ pub(crate) fn kyber_encapsulate< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -332,7 +332,7 @@ pub(crate) fn encapsulate< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_decapsulate_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -423,7 +423,7 @@ pub fn kyber_decapsulate< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn decapsulate_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -522,7 +522,7 @@ pub(crate) mod unpacked { crate::ind_cca::unpacked::MlKemPublicKeyUnpacked; /// Get the unpacked public key. - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn unpack_public_key_avx2< const K: usize, @@ -565,7 +565,7 @@ pub(crate) mod unpacked { } #[allow(unsafe_code)] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -620,7 +620,7 @@ pub(crate) mod unpacked { } #[allow(unsafe_code)] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -697,7 +697,7 @@ pub(crate) mod unpacked { } } - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn decapsulate_avx2< const K: usize, diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs index 4a78a567b..88098f375 100644 --- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs +++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs @@ -52,9 +52,6 @@ use instantiations::portable::{ kyber_generate_keypair as kyber_generate_keypair_neon, }; -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))] #[inline(always)] pub(crate) fn validate_public_key< const K: usize, @@ -69,9 +66,6 @@ pub(crate) fn validate_public_key< } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] pub(crate) fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -132,19 +126,12 @@ pub(crate) fn kyber_generate_keypair< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -157,7 +144,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -167,7 +154,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -177,7 +164,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -254,19 +241,6 @@ pub(crate) fn kyber_encapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -276,7 +250,7 @@ pub(crate) fn encapsulate< const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -295,7 +269,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -311,7 +285,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -327,7 +301,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -418,22 +392,6 @@ pub(crate) fn kyber_decapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub(crate) fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index 4891caff8..08cd6a687 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -600,7 +600,6 @@ fn compress_then_serialize_u< $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] - #[hax_lib::ensures(|result| fstar!("$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_t_as_ntt) @@ -736,7 +735,7 @@ pub(crate) fn encrypt< let mut unpacked_public_key = IndCpaPublicKeyUnpacked::::default(); // tˆ := Decode_12(pk) - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.t_as_ntt, ); diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs index 49fa7fea5..12b60f3cf 100644 --- a/libcrux-ml-kem/src/invert_ntt.rs +++ b/libcrux-ml-kem/src/invert_ntt.rs @@ -1,152 +1,68 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, get_zeta}, + polynomial::{PolynomialRingElement, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations, FIELD_ELEMENTS_IN_VECTOR}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 128 /\\ - invert_ntt_re_range_1 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 64"))] pub(crate) fn invert_ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), - get_zeta (*zeta_i - 2), - get_zeta (*zeta_i - 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3], ); *zeta_i -= 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 64 /\\ - invert_ntt_re_range_2 $re "))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 32"))] pub(crate) fn invert_ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], ); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 32 /\\ - invert_ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 16"))] pub(crate) fn invert_ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::inv_ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::inv_ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\\ - Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array - (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"))] pub(crate) fn inv_ntt_layer_int_vec_step_reduce( mut a: Vector, mut b: Vector, @@ -157,10 +73,7 @@ pub(crate) fn inv_ntt_layer_int_vec_step_reduce( b = montgomery_multiply_fe::(a_minus_b, zeta_r); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7"))] pub(crate) fn invert_ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, @@ -181,7 +94,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus( let (x, y) = inv_ntt_layer_int_vec_step_reduce( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -191,7 +104,6 @@ pub(crate) fn invert_ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::requires(fstar!("invert_ntt_re_range_1 $re"))] pub(crate) fn invert_ntt_montgomery( re: &mut PolynomialRingElement, ) { diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs index 01c2d987d..bbdcbe2ba 100644 --- a/libcrux-ml-kem/src/matrix.rs +++ b/libcrux-ml-kem/src/matrix.rs @@ -5,14 +5,6 @@ use crate::{ #[inline(always)] #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in - valid ==> ( - if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A - else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)") -)] pub(crate) fn sample_matrix_A>( A_transpose: &mut [[PolynomialRingElement; K]; K], seed: [u8; 34], @@ -45,17 +37,6 @@ pub(crate) fn sample_matrix_A( v: &PolynomialRingElement, secret_as_ntt: &[PolynomialRingElement; K], @@ -76,18 +57,6 @@ pub(crate) fn compute_message( /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t $t_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e2_spec = to_spec_poly_t $error_2 in - let m_spec = to_spec_poly_t $message in - let res_spec = to_spec_poly_t $res in - res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res") -)] pub(crate) fn compute_ring_element_v( t_as_ntt: &[PolynomialRingElement; K], r_as_ntt: &[PolynomialRingElement; K], @@ -109,18 +78,6 @@ pub(crate) fn compute_ring_element_v( /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t $a_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e_spec = to_spec_vector_t $error_1 in - let res_spec = to_spec_vector_t $res in - res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))") -)] pub(crate) fn compute_vector_u( a_as_ntt: &[[PolynomialRingElement; K]; K], r_as_ntt: &[PolynomialRingElement; K], diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs index 6bc86a8cf..875406268 100644 --- a/libcrux-ml-kem/src/mlkem1024.rs +++ b/libcrux-ml-kem/src/mlkem1024.rs @@ -410,11 +410,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem1024KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { @@ -435,12 +430,6 @@ pub fn generate_key_pair( /// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem1024PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -467,11 +456,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem1024PrivateKey, ciphertext: &MlKem1024Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs index cad3bd02b..4fae634c0 100644 --- a/libcrux-ml-kem/src/mlkem512.rs +++ b/libcrux-ml-kem/src/mlkem512.rs @@ -3,31 +3,34 @@ use super::{constants::*, ind_cca::*, types::*, *}; // Kyber 512 parameters const RANK_512: usize = 2; -const RANKED_BYTES_PER_RING_ELEMENT_512: usize = 768; -const T_AS_NTT_ENCODED_SIZE_512: usize = 768; +const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C1_BLOCK_SIZE_512: usize = 320; +const C1_BLOCK_SIZE_512: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8; // [hax]: hacspec/hacspec-v2#27 stealing error // serialized_len::() -const C1_SIZE_512: usize = 640; +const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512; const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C2_SIZE_512: usize = 128; -const CPA_PKE_SECRET_KEY_SIZE_512: usize = 768; -pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = 800; -const CPA_PKE_CIPHERTEXT_SIZE_512: usize = 768; - -pub(crate) const SECRET_KEY_SIZE_512: usize = 1632; +const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8; +const CPA_PKE_SECRET_KEY_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32; +const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512; +pub(crate) const SECRET_KEY_SIZE_512: usize = + CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE; const ETA1: usize = 3; -const ETA1_RANDOMNESS_SIZE: usize = 192; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; -const ETA2_RANDOMNESS_SIZE: usize = 128; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; -const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = 800; +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_512; // Kyber 512 types /// An ML-KEM 512 Ciphertext @@ -400,11 +403,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem512KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair { multiplexing::generate_keypair::< RANK_512, @@ -423,12 +421,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512 /// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem512PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -455,11 +447,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem512PrivateKey, ciphertext: &MlKem512Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs index 17cf7aadf..4f5f114e3 100644 --- a/libcrux-ml-kem/src/mlkem768.rs +++ b/libcrux-ml-kem/src/mlkem768.rs @@ -398,11 +398,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem768KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair { multiplexing::generate_keypair::< RANK_768, @@ -421,12 +416,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768 /// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem768PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -453,11 +442,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem768PrivateKey, ciphertext: &MlKem768Ciphertext, diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs index 9008f7190..34d225564 100644 --- a/libcrux-ml-kem/src/ntt.rs +++ b/libcrux-ml-kem/src/ntt.rs @@ -1,168 +1,71 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, get_zeta}, + polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 63 /\\ - ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_1 ${re}_future /\\ - v ${*zeta_i}_future == 127"))] pub(crate) fn ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), - get_zeta (*zeta_i + 2), - get_zeta (*zeta_i + 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], ); *zeta_i += 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 31 /\\ - ntt_re_range_3 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 63"))] pub(crate) fn ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], ); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 15 /\\ - ntt_re_range_4 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_3 ${re}_future /\\ - v ${*zeta_i}_future == 31"))] pub(crate) fn ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (let t = ${montgomery_multiply_fe::} $b $zeta_r in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"))] fn ntt_layer_int_vec_step( mut a: Vector, mut b: Vector, @@ -173,28 +76,16 @@ fn ntt_layer_int_vec_step( a = Vector::add(a, &t); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7 /\\ - ((v $layer == 4 ==> v ${*zeta_i} == 7) /\\ - (v $layer == 5 ==> v ${*zeta_i} == 3) /\\ - (v $layer == 6 ==> v ${*zeta_i} == 1) /\\ - (v $layer == 7 ==> v ${*zeta_i} == 0))"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_4 ${re}_future /\\ - (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\\ - (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\\ - (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\\ - (v $layer == 7 ==> v ${*zeta_i}_future == 1)"))] pub(crate) fn ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, layer: usize, _initial_coefficient_bound: usize, ) { + debug_assert!(layer >= 4); let step = 1 << layer; - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..(128 >> layer) { @@ -208,7 +99,7 @@ pub(crate) fn ntt_at_layer_4_plus( let (x, y) = ntt_layer_int_vec_step( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -218,36 +109,11 @@ pub(crate) fn ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -//We should make the loops inside this function `opaque_to_smt` to get it work -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))")] -#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ]) - (${re}.f_coefficients.[ sz i +! sz 8 ])"))] pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement) { let step = VECTORS_IN_RING_ELEMENT / 2; - hax_lib::fstar!("assert (v $step == 8)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..step { - hax_lib::loop_invariant!(|j: usize| { fstar!("(v j < 8 ==> - (forall (i:nat). (i >= v j /\\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))") }); - hax_lib::fstar!("reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"); let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600); re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t); re.coefficients[j] = Vector::add(re.coefficients[j], &t); @@ -270,12 +136,12 @@ pub(crate) fn ntt_binomially_sampled_ring_element( ntt_at_layer_7(re); let mut zeta_i = 1; - ntt_at_layer_4_plus(&mut zeta_i, re, 6, 11207); - ntt_at_layer_4_plus(&mut zeta_i, re, 5, 11207+3328); - ntt_at_layer_4_plus(&mut zeta_i, re, 4, 11207+2*3328); - ntt_at_layer_3(&mut zeta_i, re, 3, 11207+3*3328); - ntt_at_layer_2(&mut zeta_i, re, 2, 11207+4*3328); - ntt_at_layer_1(&mut zeta_i, re, 1, 11207+5*3328); + ntt_at_layer_4_plus(&mut zeta_i, re, 6, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 4, 3); + ntt_at_layer_3(&mut zeta_i, re, 3, 3); + ntt_at_layer_2(&mut zeta_i, re, 2, 3); + ntt_at_layer_1(&mut zeta_i, re, 1, 3); re.poly_barrett_reduce() } @@ -295,12 +161,12 @@ pub(crate) fn ntt_vector_u i16 { - ZETAS_TIMES_MONTGOMERY_R[i] -} +]; pub(crate) const VECTORS_IN_RING_ELEMENT: usize = super::constants::COEFFICIENTS_IN_RING_ELEMENT / FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit()"))] // XXX: We don't want to copy this. But for eurydice we have to have this. #[derive(Clone, Copy)] pub(crate) struct PolynomialRingElement { pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT], } -#[hax_lib::attributes] impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { @@ -52,7 +30,6 @@ impl PolynomialRingElement { } #[inline(always)] - #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())] pub(crate) fn from_i16_array(a: &[i16]) -> Self { let mut result = PolynomialRingElement::ZERO(); for i in 0..VECTORS_IN_RING_ELEMENT { @@ -65,7 +42,6 @@ impl PolynomialRingElement { /// sum of their constituent coefficients. #[inline(always)] pub(crate) fn add_to_ring_element(&mut self, rhs: &Self) { - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..self.coefficients.len() { @@ -76,8 +52,6 @@ impl PolynomialRingElement { #[inline(always)] pub fn poly_barrett_reduce(&mut self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { @@ -88,8 +62,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn subtract_reduce(&self, mut b: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441); @@ -101,8 +73,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_message_error_reduce(&self, message: &Self, mut result: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441); @@ -132,8 +102,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -150,8 +118,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_standard_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -207,8 +173,6 @@ impl PolynomialRingElement { // ))))] #[inline(always)] pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // hax_debug_debug_assert!(lhs // .coefficients // .into_iter() @@ -220,10 +184,10 @@ impl PolynomialRingElement { out.coefficients[i] = Vector::ntt_multiply( &self.coefficients[i], &rhs.coefficients[i], - get_zeta (64 + 4 * i), - get_zeta (64 + 4 * i + 1), - get_zeta (64 + 4 * i + 2), - get_zeta (64 + 4 * i + 3), + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 1], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 2], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 3], ); } diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs index 1a140d1a8..79e4e38e6 100644 --- a/libcrux-ml-kem/src/sampling.rs +++ b/libcrux-ml-kem/src/sampling.rs @@ -1,5 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, + constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, hax_utils::hax_debug_assert, helper::cloop, polynomial::PolynomialRingElement, vector::Operations, }; @@ -71,15 +71,14 @@ fn sample_from_uniform_distribution_next>( seeds: [[u8; 34]; K], ) -> [PolynomialRingElement; K] { let mut sampled_coefficients: [usize; K] = [0; K]; let mut out: [[i16; 272]; K] = [[0; 272]; K]; - let mut xof_state = Hasher::shake128_init_absorb_final(seeds); - let randomness = xof_state.shake128_squeeze_first_three_blocks(); + let mut xof_state = Hasher::shake128_init_absorb(seeds); + let randomness = xof_state.shake128_squeeze_three_blocks(); let mut done = sample_from_uniform_distribution_next::( randomness, @@ -93,7 +92,7 @@ pub(super) fn sample_from_xof( randomness, &mut sampled_coefficients, @@ -152,19 +151,16 @@ pub(super) fn sample_from_xof. -#[hax_lib::requires(randomness.len() == 2 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_2( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length $randomness == 128)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -176,21 +172,12 @@ fn sample_from_binomial_distribution_2( let even_bits = random_bits_as_u32 & 0x55555555; let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555; - hax_lib::fstar!("logand_lemma $random_bits_as_u32 1431655765ul; - logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul"); let coin_toss_outcomes = even_bits + odd_bits; cloop! { for outcome_set in (0..u32::BITS).step_by(4) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 3); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 3); - assert (v $chunk_number <= 31); - assert (v (sz 8 *! $chunk_number <: usize) <= 248); - assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"); let offset = (outcome_set >> 2) as usize; sampled_i16s[8 * chunk_number + offset] = outcome_1 - outcome_2; @@ -201,19 +188,16 @@ fn sample_from_binomial_distribution_2( PolynomialRingElement::from_i16_array(&sampled_i16s) } -#[hax_lib::requires(randomness.len() == 3 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_3( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length $randomness == 192)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -224,9 +208,6 @@ fn sample_from_binomial_distribution_3( let first_bits = random_bits_as_u24 & 0x00249249; let second_bits = (random_bits_as_u24 >> 1) & 0x00249249; let third_bits = (random_bits_as_u24 >> 2) & 0x00249249; - hax_lib::fstar!("logand_lemma $random_bits_as_u24 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul"); let coin_toss_outcomes = first_bits + second_bits + third_bits; @@ -234,13 +215,6 @@ fn sample_from_binomial_distribution_3( for outcome_set in (0..24).step_by(6) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 7); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 7); - assert (v $chunk_number <= 63); - assert (v (sz 4 *! $chunk_number <: usize) <= 252); - assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"); let offset = (outcome_set / 6) as usize; sampled_i16s[4 * chunk_number + offset] = outcome_1 - outcome_2; @@ -261,9 +235,8 @@ fn sample_from_binomial_distribution_3( pub(super) fn sample_from_binomial_distribution( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $ETA <: u32) == 2) \\/ - (v (cast $ETA <: u32) == 3))"); + hax_debug_assert!(randomness.len() == ETA * 64); + match ETA as u32 { 2 => sample_from_binomial_distribution_2(randomness), 3 => sample_from_binomial_distribution_3(randomness), diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs index 18f8444b7..7619ab59a 100644 --- a/libcrux-ml-kem/src/serialize.rs +++ b/libcrux-ml-kem/src/serialize.rs @@ -1,8 +1,9 @@ use crate::{ - constants::{COEFFICIENTS_IN_RING_ELEMENT, BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + hax_utils::hax_debug_assert, helper::cloop, polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, - vector::{decompress_1, to_unsigned_representative, Operations, FIELD_MODULUS}, + vector::{decompress_1, to_unsigned_representative, Operations}, }; #[inline(always)] @@ -16,14 +17,14 @@ let field_modulus_range (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: v_Vector) = let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\\ - v (Seq.index coef i) < v $FIELD_MODULUS")] + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -3329 /\\ + v (Seq.index coef i) < 3329")] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!("field_modulus_range $a"))] #[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"))] -pub(super) fn to_unsigned_field_modulus( + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < 3329"))] +pub(super) fn to_unsigned_field_element( a: Vector, ) -> Vector { hax_lib::fstar!("reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)"); @@ -42,12 +43,7 @@ pub(super) fn compress_then_serialize_message( ) -> [u8; SHARED_SECRET_SIZE] { let mut serialized = [0u8; SHARED_SECRET_SIZE]; for i in 0..16 { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i < 16 ==> - coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (2 * v $i + 2 <= 32)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_field_element::(re.coefficients[i]); let coefficient_compressed = Vector::compress_1(coefficient); let bytes = Vector::serialize_1(coefficient_compressed); @@ -56,7 +52,6 @@ pub(super) fn compress_then_serialize_message( serialized } - #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::ensures(|result| @@ -84,15 +79,9 @@ pub(super) fn deserialize_then_decompress_message( pub(super) fn serialize_uncompressed_ring_element( re: &PolynomialRingElement, ) -> [u8; BYTES_PER_RING_ELEMENT] { - hax_lib::fstar!("assert_norm (pow2 12 == 4096)"); let mut serialized = [0u8; BYTES_PER_RING_ELEMENT]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (24 * v $i + 24 <= 384)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_field_element::(re.coefficients[i]); let bytes = Vector::serialize_12(coefficient); serialized[24 * i..24 * i + 24].copy_from_slice(&bytes); @@ -112,7 +101,8 @@ pub(super) fn serialize_uncompressed_ring_element( pub(super) fn deserialize_to_uncompressed_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -128,14 +118,11 @@ pub(super) fn deserialize_to_uncompressed_ring_element( /// /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - serialized.len() == BYTES_PER_RING_ELEMENT -)] fn deserialize_to_reduced_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -152,23 +139,15 @@ fn deserialize_to_reduced_ring_element( /// /// This function MUST NOT be used on secret inputs. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - fstar!("Spec.MLKEM.is_rank v_K /\\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)") -)] -#[hax_lib::ensures(|result| - fstar!("forall (i:nat). i < v $K ==> - coefficients_field_modulus_range (Seq.index $result i)") -)] pub(super) fn deserialize_ring_elements_reduced_out< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( public_key: &[u8], ) -> [PolynomialRingElement; K] { let mut deserialized_pk = core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( public_key, &mut deserialized_pk, ); @@ -187,6 +166,7 @@ pub(super) fn deserialize_ring_elements_reduced_out< Spec.MLKEM.vector_decode_12 #$K $public_key") )] pub(super) fn deserialize_ring_elements_reduced< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( @@ -205,21 +185,13 @@ pub(super) fn deserialize_ring_elements_reduced< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("v $OUT_LEN == 320 /\\ coefficients_field_modulus_range $re"))] fn compress_then_serialize_10( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert_norm (pow2 10 == 1024)"); let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (20 * v $i + 20 <= 320)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<10>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<10>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_10(coefficient); serialized[20 * i..20 * i + 20].copy_from_slice(&bytes); @@ -228,14 +200,13 @@ fn compress_then_serialize_10( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] fn compress_then_serialize_11( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient = - Vector::compress::<11>(to_unsigned_representative::(re.coefficients[i])); + Vector::compress::<11>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_11(coefficient); serialized[22 * i..22 * i + 22].copy_from_slice(&bytes); @@ -258,10 +229,8 @@ pub(super) fn compress_then_serialize_ring_element_u< >( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 10 => compress_then_serialize_10(re), 11 => compress_then_serialize_11(re), @@ -270,28 +239,15 @@ pub(super) fn compress_then_serialize_ring_element_u< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Seq.length $serialized == 128 /\\ - coefficients_field_modulus_range $re"))] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_4( re: PolynomialRingElement, serialized: &mut [u8], ) { - hax_lib::fstar!("assert_norm (pow2 4 == 16)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { - // NOTE: Using `$serialized` in loop_invariant doesn't work here - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> (Seq.length serialized == 128 /\\ coefficients_field_modulus_range $re)") }); - hax_lib::fstar!("assert (8 * v $i + 8 <= 128)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<4>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<4>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_4(coefficient); serialized[8 * i..8 * i + 8].copy_from_slice(&bytes); @@ -300,13 +256,6 @@ fn compress_then_serialize_4( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires( - serialized.len() == 160 -)] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_5( re: PolynomialRingElement, serialized: &mut [u8], @@ -315,7 +264,7 @@ fn compress_then_serialize_5( // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { let coefficients = - Vector::compress::<5>(to_unsigned_representative::(re.coefficients[i])); + Vector::compress::<5>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_5(coefficients); serialized[10 * i..10 * i + 10].copy_from_slice(&bytes); @@ -340,10 +289,8 @@ pub(super) fn compress_then_serialize_ring_element_v< re: PolynomialRingElement, out: &mut [u8], ) { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 4 => compress_then_serialize_4(re, out), 5 => compress_then_serialize_5(re, out), @@ -352,16 +299,13 @@ pub(super) fn compress_then_serialize_ring_element_v< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 320 -)] fn deserialize_then_decompress_10( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8); + let mut re = PolynomialRingElement::::ZERO(); - let _coefficients_length = re.coefficients.len(); cloop! { for (i, bytes) in serialized.chunks_exact(20).enumerate() { let coefficient = Vector::deserialize_10(bytes); @@ -372,13 +316,11 @@ fn deserialize_then_decompress_10( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 352 -)] fn deserialize_then_decompress_11( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -407,9 +349,8 @@ pub(super) fn deserialize_then_decompress_ring_element_u< >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 10 => deserialize_then_decompress_10(serialized), 11 => deserialize_then_decompress_11(serialized), @@ -418,15 +359,11 @@ pub(super) fn deserialize_then_decompress_ring_element_u< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 128 -)] fn deserialize_then_decompress_4( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8); let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(8).enumerate() { let coefficient = Vector::deserialize_4(bytes); @@ -437,13 +374,11 @@ fn deserialize_then_decompress_4( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 160 -)] fn deserialize_then_decompress_5( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -471,9 +406,8 @@ pub(super) fn deserialize_then_decompress_ring_element_v< >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 4 => deserialize_then_decompress_4(serialized), 5 => deserialize_then_decompress_5(serialized), diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs index b1ff9dc03..b13a8e8dd 100644 --- a/libcrux-ml-kem/src/types.rs +++ b/libcrux-ml-kem/src/types.rs @@ -48,10 +48,8 @@ macro_rules! impl_generic_struct { } } - #[hax_lib::attributes] impl $name { /// A reference to the raw byte slice. - #[ensures(|result| fstar!("$result == self.f_value"))] pub fn as_slice(&self) -> &[u8; SIZE] { &self.value } @@ -148,7 +146,6 @@ pub struct MlKemKeyPair, } -#[hax_lib::attributes] impl MlKemKeyPair { @@ -161,7 +158,6 @@ impl } /// Create a new [`MlKemKeyPair`] from the secret and public key. - #[ensures(|result| fstar!("${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"))] pub fn from( sk: MlKemPrivateKey, pk: MlKemPublicKey, diff --git a/libcrux-ml-kem/src/utils.rs b/libcrux-ml-kem/src/utils.rs index 62590aa13..3c3be2bcc 100644 --- a/libcrux-ml-kem/src/utils.rs +++ b/libcrux-ml-kem/src/utils.rs @@ -8,16 +8,9 @@ #[cfg_attr(hax, hax_lib::requires( slice.len() <= LEN ))] -#[cfg_attr(hax, hax_lib::ensures(|result| - fstar!("$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)")))] pub(crate) fn into_padded_array(slice: &[u8]) -> [u8; LEN] { let mut out = [0u8; LEN]; out[0..slice.len()].copy_from_slice(slice); - hax_lib::fstar!("assert (Seq.slice out 0 (Seq.length slice) == slice)"); - hax_lib::fstar!("assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))"); - hax_lib::fstar!("assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)"); - hax_lib::fstar!("assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))"); - hax_lib::fstar!("Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))"); out } diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs index 080559de4..5b35244a2 100644 --- a/libcrux-ml-kem/src/variant.rs +++ b/libcrux-ml-kem/src/variant.rs @@ -11,14 +11,10 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash, M /// cf. FIPS 203, Appendix C #[hax_lib::attributes] pub(crate) trait Variant { - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] // We only have post-conditions for ML-KEM, not Kyber fn kdf>( shared_secret: &[u8], ciphertext: &MlKemCiphertext, ) -> [u8; 32]; - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] // We only have post-conditions for ML-KEM, not Kyber fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32]; #[requires(seed.len() == 32)] #[ensures(|res| fstar!("Seq.length $seed == 32 ==> $res == Spec.Utils.v_G @@ -72,8 +68,6 @@ pub(crate) struct MlKem {} #[hax_lib::attributes] impl Variant for MlKem { #[inline(always)] - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] fn kdf>( shared_secret: &[u8], _: &MlKemCiphertext, @@ -84,8 +78,6 @@ impl Variant for MlKem { } #[inline(always)] - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { let mut out = [0u8; 32]; out.copy_from_slice(randomness); diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index 2d6d18798..049f518ab 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -1,4 +1,5 @@ use super::traits::Operations; + pub(crate) use libcrux_intrinsics::avx2::*; mod arithmetic; @@ -8,25 +9,19 @@ mod sampling; mod serialize; #[derive(Clone, Copy)] -#[hax_lib::fstar::before(interface, "noeq")] -#[hax_lib::fstar::after(interface,"let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements")] pub struct SIMD256Vector { elements: Vec256, } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == Seq.create 16 0s"))] -fn vec_zero() -> SIMD256Vector { +fn zero() -> SIMD256Vector { SIMD256Vector { elements: mm256_setzero_si256(), } } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] -fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { +fn to_i16_array(v: SIMD256Vector) -> [i16; 16] { let mut output = [0i16; 16]; mm256_storeu_si256_i16(&mut output, v.elements); @@ -34,40 +29,31 @@ fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == ${array}"))] -fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector { +fn from_i16_array(array: &[i16]) -> SIMD256Vector { SIMD256Vector { elements: mm256_loadu_si256_i16(array), } } -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD256Vector { - fn repr(x: Self) -> [i16; 16] { - vec_to_i16_array(x) - } -} - #[hax_lib::attributes] impl Operations for SIMD256Vector { #[inline(always)] #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { - vec_zero() + zero() } #[requires(array.len() == 16)] #[ensures(|out| fstar!("impl.f_repr out == $array"))] #[inline(always)] fn from_i16_array(array: &[i16]) -> Self { - vec_from_i16_array(array) + from_i16_array(array) } #[ensures(|out| fstar!("out == impl.f_repr $x"))] #[inline(always)] fn to_i16_array(x: Self) -> [i16; 16] { - vec_to_i16_array(x) + to_i16_array(x) } #[requires(fstar!("forall i. i < 16 ==> @@ -127,7 +113,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))] #[inline(always)] fn cond_subtract_3329(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: arithmetic::cond_subtract_3329(vector.elements), } @@ -154,7 +139,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] #[inline(always)] fn compress_1(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_message_coefficient(vector.elements), } @@ -173,7 +157,6 @@ impl Operations for SIMD256Vector { (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] #[inline(always)] fn compress(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_ciphertext_coefficient::( vector.elements, @@ -198,7 +181,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -209,7 +191,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -220,7 +201,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_3_step(vector.elements, zeta), } @@ -232,7 +212,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -243,7 +222,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -254,7 +232,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta), } @@ -274,7 +251,6 @@ impl Operations for SIMD256Vector { zeta2: i16, zeta3: i16, ) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3), } @@ -318,14 +294,12 @@ impl Operations for SIMD256Vector { #[inline(always)] fn serialize_5(vector: Self) -> [u8; 10] { - hax_lib::fstar!("admit()"); serialize::serialize_5(vector.elements) } #[requires(bytes.len() == 10)] #[inline(always)] fn deserialize_5(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_5(bytes), } diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 1032ee28d..a980eb75d 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -3,95 +3,28 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS}; use super::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")] -#[hax_lib::fstar::before( - " -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"))] pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_add_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"); - result + mm256_add_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"))] pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_sub_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"); - result + mm256_sub_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $vector i) * v constant)"))] pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_mullo_epi16(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"); - result + mm256_mullo_epi16(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_and_si256(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - result + mm256_and_si256(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn shift_right(vector: Vec256) -> Vec256 { - let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector); - hax_lib::fstar!( - "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))" - ); - result + mm256_srai_epi16::<{ SHIFT_BY }>(vector) } // #[inline(always)] @@ -100,36 +33,17 @@ pub(crate) fn shift_right(vector: Vec256) -> Vec256 { // } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - get_lane $result i == - (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))] pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $field_modulus i == 3329s)"); + // Compute v_i - Q and crate a mask from the sign bit of each of these // quantities. let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)" - ); - let sign_mask = mm256_srai_epi16::<15>(v_minus_field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))" - ); // If v_i - Q < 0 then add back Q to (v_i - Q). let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))"); - - let result = mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.cond_sub (get_lane $vector i)); - assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))"); - - result + mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus) } const BARRETT_MULTIPLIER: i16 = 20159; @@ -137,145 +51,57 @@ const BARRETT_MULTIPLIER: i16 = 20159; /// See Section 3.2 of the implementation notes document for an explanation /// of this code. #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - (v (get_lane $vector i) % 3329))")))] pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { - let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); - hax_lib::fstar!("assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"); - let t512 = mm256_set1_epi16(512); - hax_lib::fstar!("assert (forall i. get_lane $t512 i == 512s)"); - let t1 = mm256_add_epi16(t0, t512); - hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"); - let quotient = mm256_srai_epi16::<10>(t1); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))" - ); + let t = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); + let t = mm256_add_epi16(t, mm256_set1_epi16(512)); + + let quotient = mm256_srai_epi16::<10>(t); + let quotient_times_field_modulus = mm256_mullo_epi16(quotient, mm256_set1_epi16(FIELD_MODULUS)); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient_times_field_modulus i == - get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)" - ); - let result = mm256_sub_epi16(vector, quotient_times_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == - get_lane $vector i -. get_lane $quotient_times_field_modulus i); - assert (forall i. get_lane $result i == Spec.Utils.barrett_red (get_lane $vector i)); - assert (forall i. v (get_lane $result i) % 3329 == v (get_lane $vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"); - result + + mm256_sub_epi16(vector, quotient_times_field_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 constant")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vector i) * v constant * 169) % 3329))")))] pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let vec_constant = mm256_set1_epi16(constant); - hax_lib::fstar!("assert (forall i. get_lane $vec_constant i == $constant)"); - let value_low = mm256_mullo_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"); + let constant = mm256_set1_epi16(constant); + let value_low = mm256_mullo_epi16(vector, constant); + let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vector i) $constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"); - result + let value_high = mm256_mulhi_epi16(vector, constant); + + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 { - let value_low = mm256_mullo_epi16(vec, constants); - hax_lib::fstar!( - "assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)" - ); +pub(crate) fn montgomery_multiply_by_constants(v: Vec256, c: Vec256) -> Vec256 { + let value_low = mm256_mullo_epi16(v, c); let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); + let value_high = mm256_mulhi_epi16(v, c); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vec i) (get_lane $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"); - result + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * 169) % 3329))")))] -pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { +pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 { let k = mm256_mullo_epi16( - vec, + v, mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32), ); let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi32(FIELD_MODULUS as i32)); - let value_high = mm256_srli_epi32::<16>(vec); + let value_high = mm256_srli_epi32::<16>(v); let result = mm256_sub_epi16(value_high, k_times_modulus); @@ -285,49 +111,16 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\\ - (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == - ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 { - let value_low = mm_mullo_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"); +pub(crate) fn montgomery_multiply_m128i_by_constants(v: Vec128, c: Vec128) -> Vec128 { + let value_low = mm_mullo_epi16(v, c); let k = mm_mullo_epi16( value_low, mm_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!( - "assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))" - ); + let k_times_modulus = mm_mulhi_epi16(k, mm_set1_epi16(FIELD_MODULUS)); + + let value_high = mm_mulhi_epi16(v, c); - let modulus = mm_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane128 $modulus i == 3329s)"); - - let k_times_modulus = mm_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus)); - assert (forall i. get_lane128 $k_times_modulus i == - (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_high i == - (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane128 $result i == (get_lane128 $value_high i) -. (get_lane128 $k_times_modulus i)); - assert (forall i. get_lane128 $result i == Spec.Utils.mont_mul_red_i16 (get_lane128 $vec i) (get_lane128 $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result)); - assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"); - - result + mm_sub_epi16(value_high, k_times_modulus) } diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs index 9d02e9730..fc5464957 100644 --- a/libcrux-ml-kem/src/vector/avx2/compress.rs +++ b/libcrux-ml-kem/src/vector/avx2/compress.rs @@ -38,8 +38,6 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\ - range (v (1l <( vector: Vec256, ) -> Vec256 { @@ -105,7 +103,6 @@ pub(crate) fn compress_ciphertext_coefficient( } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"))] pub(crate) fn decompress_ciphertext_coefficient( vector: Vec256, ) -> Vec256 { diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs index 437c6a473..b571b0ee7 100644 --- a/libcrux-ml-kem/src/vector/avx2/ntt.rs +++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs @@ -1,7 +1,6 @@ use super::*; #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -23,7 +22,6 @@ pub(crate) fn ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let zetas = mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, @@ -39,7 +37,6 @@ pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let rhs = mm256_extracti128_si256::<1>(vector); let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta)); @@ -56,8 +53,6 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn inv_ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -87,7 +82,6 @@ pub(crate) fn inv_ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector); @@ -109,7 +103,6 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let lhs = mm256_extracti128_si256::<1>(vector); let rhs = mm256_castsi256_si128(vector); @@ -127,7 +120,6 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_multiply( lhs: Vec256, rhs: Vec256, diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs index 1f3565b40..9ce5c20f8 100644 --- a/libcrux-ml-kem/src/vector/avx2/sampling.rs +++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs @@ -5,11 +5,6 @@ use super::{ }; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(input.len() == 24 && output.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $output_future == Seq.length $output /\\ v $res <= 16") - )] pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); @@ -31,14 +26,6 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { // each lane in the register to tell us what coefficients to keep and what // to throw-away. Combine all the bits (there are 16) into two bytes. let good = serialize_1(compare_with_field_modulus); - hax_lib::fstar!("assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256); - // We need to provide a definition or post-condition for Core.Num.impl__u8__count_ones - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))"); // Each bit (and its corresponding position) represents an element we // want to sample. We'd like all such elements to be next to each other starting diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 693bb1bf8..5b2a4fae5 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -2,9 +2,6 @@ use super::*; use crate::vector::portable::PortableVector; #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")] -#[hax_lib::requires(fstar!("forall i. i % 16 >= 1 ==> vector i == 0"))] -#[hax_lib::ensures(|result| fstar!("forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"))] pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // Suppose |vector| is laid out as follows (superscript number indicates the // corresponding bit is duplicated that many times): @@ -46,139 +43,79 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // 0xFF 0x00 0x00 0x00 | 0xFF 0x00 0x00 0x00 | 0x00 0x00 0x00 0x00 | 0x00 0x00 0x00 0xFF let msbs = mm_packs_epi16(low_msbs, high_msbs); - hax_lib::fstar!( - r#" -let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in - assert (forall (i: nat{i < 16}). bits_packed' i = $vector ((i / 1) * 16 + i % 1)) - by ( - Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync () - ) - ) -"# - ); - // Now that every element is either 0xFF or 0x00, we just extract the most // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); - let result = [bits_packed as u8, (bits_packed >> 8) as u8]; + let mut serialized = [0u8; 2]; + serialized[0] = bits_packed as u8; + serialized[1] = (bits_packed >> 8) as u8; - hax_lib::fstar!( - r#" -assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! 8l <: i32) (sz i) == get_bit $bits_packed (sz (i + 8))) -"# - ); - - result + serialized } #[inline(always)] -#[hax_lib::requires(bytes.len() == 2)] -#[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j)) -"# -))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - #[inline(always)] - pub(crate) fn deserialize_1_u8s(a: u8, b: u8) -> Vec256 { - deserialize_1_i16s(a as i16, b as i16) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 { - // We need to take each bit from the 2 bytes of input and put them - // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, - // duplicate them, and right-shift the 0th element by 0 bits, - // the first element by 1 bit, the second by 2 bits and so on before AND-ing - // with 0x1 to leave only the least signifinicant bit. - // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a - // workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bit we're interested in becomes the most - // significant bit. - // The coefficients are loaded as follows: - let coefficients = mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); - - // And this vector, when multiplied with the previous one, ensures that the - // bit we'd like to keep in each lane becomes the most significant bit upon - // multiplication. - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - ), - ); - - // Now that they're all in the most significant bit position, shift them - // down to the least significant bit. - mm256_srli_epi16::<15>(coefficients_in_msb) - } - - deserialize_1_u8s(bytes[0], bytes[1]) -} + // We need to take each bit from the 2 bytes of input and put them + // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, + // duplicate them, and right-shift the 0th element by 0 bits, + // the first element by 1 bit, the second by 2 bits and so on before AND-ing + // with 0x1 to leave only the least signifinicant bit. + // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a + // workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bit we're interested in becomes the most + // significant bit. + + // The coefficients are loaded as follows: + let coefficients = mm256_set_epi16( + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); -/// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets -/// of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of -/// 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last -/// `n` bits are non-zero). -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_concat_pairs_n}")] -#[inline(always)] -fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { - let n = 1 << n; - mm256_madd_epi16( - x, - mm256_set_epi16(n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1), - ) + // And this vector, when multiplied with the previous one, ensures that the + // bit we'd like to keep in each lane becomes the most significant bit upon + // multiplication. + let shift_lsb_to_msb = mm256_set_epi16( + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + ); + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + + // Now that they're all in the most significant bit position, shift them + // down to the least significant bit. + mm256_srli_epi16::<15>(coefficients_in_msb) } -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires( - fstar!( - r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"# - ) -)] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"))] #[inline(always)] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -191,7 +128,27 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // as follows: // // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... - let adjacent_2_combined = mm256_concat_pairs_n(4, vector); + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + ), + ); // Recall that |adjacent_2_combined| goes as follows: // @@ -219,131 +176,71 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // ... so that we can read them out in one go. mm_storeu_bytes_si128(&mut serialized, combined); - hax_lib::fstar!( - r#" -assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialized 8 i); - introduce forall (i: nat {i < 64}). $combined i = vector ((i / 4) * 16 + i % 4) - with assert_norm (BitVec.Utils.forall64 (fun i -> $combined i = $vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). bit_vec_of_int_t_array serialized 8 i == $vector ((i / 4) * 16 + i % 4)) -"# - ); - serialized[0..8].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(bytes.len() == 8)] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 4 then 0 - else let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 { - deserialize_4_i16s( - b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16, - ) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_i16s( - b0: i16, - b1: i16, - b2: i16, - b3: i16, - b4: i16, - b5: i16, - b6: i16, - b7: i16, - ) -> Vec256 { - // Every 4 bits from each byte of input should be put into its own 16-bit lane. - // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bits we're interested in become the most - // significant bits (of an 8-bit value). - let coefficients = mm256_set_epi16( - // In this lane, the 4 bits we need to put are already the most - // significant bits of |bytes[7]| (that is, b7). - b7, - // In this lane, the 4 bits we need to put are the least significant bits, - // so we need to shift the 4 least-significant bits of |b7| to the - // most significant bits (of an 8-bit value). - b7, // and so on ... - b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0, - ); - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - // These constants are chosen to shift the bits of the values - // that we loaded into |coefficients|. - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - - // Once the 4-bit coefficients are in the most significant positions (of - // an 8-bit value), shift them all down by 4. - let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); - - // Zero the remaining bits. - mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) - } - - deserialize_4_u8s( - bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], - ) + // Every 4 bits from each byte of input should be put into its own 16-bit lane. + // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bits we're interested in become the most + // significant bits (of an 8-bit value). + let coefficients = mm256_set_epi16( + // In this lane, the 4 bits we need to put are already the most + // significant bits of |bytes[7]|. + bytes[7] as i16, + // In this lane, the 4 bits we need to put are the least significant bits, + // so we need to shift the 4 least-significant bits of |bytes[7]| to the + // most significant bits (of an 8-bit value). + bytes[7] as i16, + // and so on ... + bytes[6] as i16, + bytes[6] as i16, + bytes[5] as i16, + bytes[5] as i16, + bytes[4] as i16, + bytes[4] as i16, + bytes[3] as i16, + bytes[3] as i16, + bytes[2] as i16, + bytes[2] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); + + let shift_lsbs_to_msbs = mm256_set_epi16( + // These constants are chosen to shift the bits of the values + // that we loaded into |coefficients|. + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + + // Once the 4-bit coefficients are in the most significant positions (of + // an 8-bit value), shift them all down by 4. + let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); + + // Zero the remaining bits. + mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) } #[inline(always)] @@ -443,31 +340,15 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { serialized[0..10].try_into().unwrap() } -/// We cannot model `mm256_inserti128_si256` on its own: it produces a -/// Vec256 where the upper 128 bits are undefined. Thus -/// `mm256_inserti128_si256` is not pure. -/// -/// Luckily, we always call `mm256_castsi128_si256` right after -/// `mm256_inserti128_si256`: this composition sets the upper bits, -/// making the whole computation pure again. -#[inline(always)] -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_si256_from_two_si128 as ${mm256_si256_from_two_si128}}" -)] -fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { - mm256_inserti128_si256::<1>(mm256_castsi128_si256(lower), upper) -} - #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))] pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4], bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0], ); - let coefficients_loaded = mm256_si256_from_two_si128(coefficients, coefficients); + let coefficients_loaded = mm256_castsi128_si256(coefficients); + let coefficients_loaded = mm256_inserti128_si256::<1>(coefficients_loaded, coefficients); let coefficients = mm256_shuffle_epi8( coefficients_loaded, @@ -502,172 +383,137 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 160}). - vector ((i/10) * 16 + i%10) == (if i < 80 then $lower_8 i else $upper_8 (i - 80)) - ) - "# - ))] - fn serialize_10_vec(vector: Vec256) -> (Vec128, Vec128) { - // If |vector| is laid out as follows (superscript number indicates the - // corresponding bit is duplicated that many times): - // - // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ - // ... - // - // |adjacent_2_combined| will be laid out as a series of 32-bit integers, - // as follows: - // - // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // .... - let adjacent_2_combined = mm256_concat_pairs_n(10, vector); - - // Shifting up the values at the even indices by 12, we get: - // - // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // ... - let adjacent_4_combined = mm256_sllv_epi32( - adjacent_2_combined, - mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), - ); - - // Viewing this as a set of 64-bit integers we get: - // - // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ - // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ - // ... - // - // Shifting down by 12 gives us: - // - // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ - // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ - // ... - let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); - - // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped - // into bytes, looks like: - // - // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ - // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ - // - // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after - // bytes 0, 1, 2, 3 to allow for sequential reading. - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, - 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, - ), - ); - // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - // and 64 bits starting at position 0 in the upper 128-bit lane. - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i:nat{i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - "# - ); - (lower_8, upper_8) - } - - let (lower_8, upper_8) = serialize_10_vec(vector); - let mut serialized = [0u8; 32]; + + // If |vector| is laid out as follows (superscript number indicates the + // corresponding bit is duplicated that many times): + // + // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ + // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ + // ... + // + // |adjacent_2_combined| will be laid out as a series of 32-bit integers, + // as follows: + // + // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // .... + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + ), + ); + + // Shifting up the values at the even indices by 12, we get: + // + // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // ... + let adjacent_4_combined = mm256_sllv_epi32( + adjacent_2_combined, + mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), + ); + + // Viewing this as a set of 64-bit integers we get: + // + // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ + // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ + // ... + // + // Shifting down by 12 gives us: + // + // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ + // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ + // ... + let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); + + // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped + // into bytes, looks like: + // + // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ + // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ + // + // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after + // bytes 0, 1, 2, 3 to allow for sequential reading. + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, + 11, 10, 9, 8, 4, 3, 2, 1, 0, + ), + ); + + // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); + + // and 64 bits starting at position 0 in the upper 128-bit lane. + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); serialized[0..20].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))] pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_10_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - ), - ); - let coefficients = mm256_srli_epi16::<6>(coefficients); - // Here I can prove this `and` is not useful - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 10 - then let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32) - else 0))) -"# - ); - coefficients - } - - let lower_coefficients = &bytes[0..16]; - let upper_coefficients = &bytes[4..20]; - deserialize_10_vec( - mm_loadu_si128(lower_coefficients), - mm_loadu_si128(upper_coefficients), - ) + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + ); + + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), + ); + let upper_coefficients = mm_loadu_si128(&bytes[4..20]); + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<6>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); + + coefficients } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { let mut array = [0i16; 16]; mm256_storeu_si256_i16(&mut array, vector); @@ -676,7 +522,6 @@ pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { let output = PortableVector::deserialize_11(bytes); let array = PortableVector::to_i16_array(output); @@ -684,49 +529,46 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"))] pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { - #[inline(always)] - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 192}). - vector ((i/12) * 16 + i%12) == (if i < 96 then $lower_8 i else $upper_8 (i - 96)) - ) - "# - ))] - fn serialize_12_vec(vector: Vec256) -> (Vec128, Vec128) { - let adjacent_2_combined = mm256_concat_pairs_n(12, vector); - let adjacent_4_combined = - mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); - let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); - - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, - 10, 9, 8, 5, 4, 3, 2, 1, 0, - ), - ); - - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 96}). lower_8_ i = vector ((i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i:nat{i < 96}). upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - "# - ); - (lower_8, upper_8) - } - let mut serialized = [0u8; 32]; - let (lower_8, upper_8) = serialize_12_vec(vector); + + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + ), + ); + + let adjacent_4_combined = + mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); + let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); + + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, 10, + 9, 8, 5, 4, 3, 2, 1, 0, + ), + ); + + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[12..28], upper_8); @@ -734,69 +576,43 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))] pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_12_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - let coefficients = mm256_srli_epi16::<4>(coefficients); - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 12 - then let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64) - else 0))) -"# - ); - coefficients - } + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), + ); let upper_coefficients = mm_loadu_si128(&bytes[8..24]); - deserialize_12_vec(lower_coefficients, upper_coefficients) + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<4>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); + + coefficients } diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs index bd3be862a..68539971e 100644 --- a/libcrux-ml-kem/src/vector/neon.rs +++ b/libcrux-ml-kem/src/vector/neon.rs @@ -16,28 +16,16 @@ use serialize::*; pub(crate) use vector_type::SIMD128Vector; use vector_type::*; -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD128Vector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::attributes] impl Operations for SIMD128Vector { #[inline(always)] - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { ZERO() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } diff --git a/libcrux-ml-kem/src/vector/neon/vector_type.rs b/libcrux-ml-kem/src/vector/neon/vector_type.rs index d711e7d6e..61b4d319d 100644 --- a/libcrux-ml-kem/src/vector/neon/vector_type.rs +++ b/libcrux-ml-kem/src/vector/neon/vector_type.rs @@ -1,15 +1,20 @@ use libcrux_intrinsics::arm64::*; #[derive(Clone, Copy)] -#[hax_lib::fstar::after(interface,"val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)")] -#[hax_lib::fstar::after("let repr (x:t_SIMD128Vector) = admit()")] pub struct SIMD128Vector { pub low: _int16x8_t, pub high: _int16x8_t, } +#[allow(non_snake_case)] +#[inline(always)] +pub(crate) fn ZERO() -> SIMD128Vector { + SIMD128Vector { + low: _vdupq_n_s16(0), + high: _vdupq_n_s16(0), + } +} + #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { let mut out = [0i16; 16]; _vst1q_s16(&mut out[0..8], v.low); @@ -18,22 +23,9 @@ pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == $array"))] pub(crate) fn from_i16_array(array: &[i16]) -> SIMD128Vector { SIMD128Vector { low: _vld1q_s16(&array[0..8]), high: _vld1q_s16(&array[8..16]), } } - -#[allow(non_snake_case)] -#[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr result == Seq.create 16 0s"))] -pub(crate) fn ZERO() -> SIMD128Vector { - SIMD128Vector { - low: _vdupq_n_s16(0), - high: _vdupq_n_s16(0), - } -} \ No newline at end of file diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs index b8e46b460..2ed759d54 100644 --- a/libcrux-ml-kem/src/vector/portable.rs +++ b/libcrux-ml-kem/src/vector/portable.rs @@ -1,4 +1,5 @@ use super::Operations; + mod arithmetic; mod compress; mod ntt; @@ -10,250 +11,92 @@ use arithmetic::*; use compress::*; use ntt::*; use sampling::*; +use serialize::*; use vector_type::*; pub(crate) use vector_type::PortableVector; -#[cfg(hax)] -impl crate::vector::traits::Repr for PortableVector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] -fn serialize_1(a: PortableVector) -> [u8; 2] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"); - serialize::serialize_1(a) -} - -#[hax_lib::requires(a.len() == 2)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] -fn deserialize_1(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a"); - serialize::deserialize_1(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] -fn serialize_4(a: PortableVector) -> [u8; 8] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"); - serialize::serialize_4(a) -} - -#[hax_lib::requires(a.len() == 8)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] -fn deserialize_4(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a"); - serialize::deserialize_4(a) -} - -fn serialize_5(a: PortableVector) -> [u8; 10] { - serialize::serialize_5(a) -} - -#[hax_lib::requires(a.len() == 10)] -fn deserialize_5(a: &[u8]) -> PortableVector { - serialize::deserialize_5(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] -fn serialize_10(a: PortableVector) -> [u8; 20] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"); - serialize::serialize_10(a) -} - -#[hax_lib::requires(a.len() == 20)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] -fn deserialize_10(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a"); - serialize::deserialize_10(a) -} - -fn serialize_11(a: PortableVector) -> [u8; 22] { - serialize::serialize_11(a) -} - -#[hax_lib::requires(a.len() == 22)] -fn deserialize_11(a: &[u8]) -> PortableVector { - serialize::deserialize_11(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] -fn serialize_12(a: PortableVector) -> [u8; 24] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"); - serialize::serialize_12(a) -} - -#[hax_lib::requires(a.len() == 24)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] -fn deserialize_12(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a"); - serialize::deserialize_12(a) -} - -#[hax_lib::fstar::before(interface, r#"#push-options "--z3rlimit 400 --split_queries always""#)] -#[hax_lib::fstar::after(interface, r#"#pop-options"#)] -#[hax_lib::attributes] impl Operations for PortableVector { - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { zero() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] fn add(lhs: Self, rhs: &Self) -> Self { add(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] fn sub(lhs: Self, rhs: &Self) -> Self { sub(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self { - multiply_by_constant(vec, c) + fn multiply_by_constant(v: Self, c: i16) -> Self { + multiply_by_constant(v, c) } - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self { bitwise_and_with_constant(v, c) } - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"))] fn shift_right(v: Self) -> Self { shift_right::<{ SHIFT_BY }>(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"))] - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self { cond_subtract_3329(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"))] fn barrett_reduce(v: Self) -> Self { barrett_reduce(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 $r"))] fn montgomery_multiply_by_constant(v: Self, r: i16) -> Self { montgomery_multiply_by_constant(v, r) } - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329"))] - #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] - fn compress_1(a: Self) -> Self { - compress_1(a) + fn compress_1(v: Self) -> Self { + compress_1(v) } - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329)"))] - #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self { - compress::(a) + fn compress(v: Self) -> Self { + compress::(v) } - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] fn decompress_ciphertext_coefficient(v: Self) -> Self { decompress_ciphertext_coefficient::(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self { ntt_layer_3_step(a, zeta) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { inv_ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self { inv_ntt_layer_3_step(a, zeta) } - - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn ntt_multiply( lhs: &Self, rhs: &Self, @@ -265,26 +108,18 @@ impl Operations for PortableVector { ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] fn serialize_1(a: Self) -> [u8; 2] { serialize_1(a) } - #[requires(a.len() == 2)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] fn deserialize_1(a: &[u8]) -> Self { deserialize_1(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] fn serialize_4(a: Self) -> [u8; 8] { - serialize_4(a) + serialize_4(a) } - #[requires(a.len() == 8)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] fn deserialize_4(a: &[u8]) -> Self { deserialize_4(a) } @@ -293,19 +128,14 @@ impl Operations for PortableVector { serialize_5(a) } - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self { deserialize_5(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] fn serialize_10(a: Self) -> [u8; 20] { serialize_10(a) } - #[requires(a.len() == 20)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] fn deserialize_10(a: &[u8]) -> Self { deserialize_10(a) } @@ -314,27 +144,18 @@ impl Operations for PortableVector { serialize_11(a) } - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self { deserialize_11(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] fn serialize_12(a: Self) -> [u8; 24] { serialize_12(a) } - #[requires(a.len() == 24)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] fn deserialize_12(a: &[u8]) -> Self { deserialize_12(a) } - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { rej_sample(a, out) } diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs index 54a7b150f..ec2a1cbe7 100644 --- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs @@ -1,5 +1,7 @@ use super::vector_type::*; -use crate::vector::traits::{FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, BARRETT_SHIFT, BARRETT_R, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}; +use crate::vector::{ + traits::FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, +}; /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). @@ -14,145 +16,83 @@ pub type FieldElementTimesMontgomeryR = i16; pub(crate) const MONTGOMERY_SHIFT: u8 = 16; pub(crate) const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT; +pub(crate) const BARRETT_SHIFT: i32 = 26; +pub(crate) const BARRETT_R: i32 = 1 << BARRETT_SHIFT; /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ pub(crate) const BARRETT_MULTIPLIER: i32 = 20159; -#[hax_lib::fstar::options("--z3rlimit 150 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(n <= 16))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("v result == v value % pow2(v n)")))] +#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))] +#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))] #[inline(always)] pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 { - let res = value & ((1 << n) - 1); - hax_lib::fstar!("calc (==) { - v res; - (==) { } - v (logand value ((1ul < - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] += rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] -= rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] -pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == - (Seq.index ${_vec0}.f_elements j) *! c) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] *= c; + v.elements[i] *= c; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${vec}.f_elements i) == - v (Seq.index ${_vec0}.f_elements i) * v c)"); - vec + + v } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"))] -pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn bitwise_and_with_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j &. c)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] &= c; + v.elements[i] &= c; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"); - vec + + v } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"))] -pub fn shift_right(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn shift_right(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] = vec.elements[i] >> SHIFT_BY; + v.elements[i] = v.elements[i] >> SHIFT_BY; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"); - vec + + v } -/// Note: This function is not secret independent -/// Only use with public values. +// #[inline(always)] +// pub fn shift_left(mut lhs: PortableVector) -> PortableVector { +// for i in 0..FIELD_ELEMENTS_IN_VECTOR { +// lhs.elements[i] = lhs.elements[i] << SHIFT_BY; +// } + +// lhs +// } + #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"))] -pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn cond_subtract_3329(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (let x = Seq.index ${_vec0}.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - if vec.elements[i] >= 3329 { - vec.elements[i] -= 3329 + debug_assert!(v.elements[i] >= 0 && v.elements[i] < 4096); + if v.elements[i] >= 3329 { + v.elements[i] -= 3329 } } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"); - vec + v } /// Signed Barrett Reduction @@ -164,60 +104,36 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { /// - the absolute value of `result` is bound as follows: /// /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 28296 value")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == v value % 3329")))] +/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +#[cfg_attr(hax, hax_lib::requires((i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R)))] +#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))] pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement { + // hax_debug_assert!( + // i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R, + // "value is {value}" + // ); + let t = (i32::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1); - hax_lib::fstar!("assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)"); - hax_lib::fstar!("assert (v t / pow2 26 < 9)"); - hax_lib::fstar!("assert (v t / pow2 26 > - 9)"); let quotient = (t >> BARRETT_SHIFT) as i16; - hax_lib::fstar!("assert (v quotient = v t / pow2 26)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 9 quotient)"); + let result = value - (quotient * FIELD_MODULUS); - hax_lib::fstar!("calc (==) { - v result % 3329; - (==) { } - (v value - (v quotient * 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329} - (v value - (v quotient * 3329) % 3329) % 3329; - (==) {Math.Lemmas.cancel_mul_mod (v quotient) 3329} - (v value - 0) % 3329; - (==) {} - (v value) % 3329; - }"); + + // hax_debug_assert!( + // result > -FIELD_MODULUS && result < FIELD_MODULUS, + // "value is {value}" + // ); + result } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 ${vec}.f_elements")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == - (v (Seq.index ${vec}.f_elements i) % 3329))")))] -pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub(crate) fn barrett_reduce(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements j) /\\ - v (Seq.index ${vec}.f_elements j) % 3329 == (v (Seq.index ${_vec0}.f_elements j) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j /\\ - Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))") }); - let vi = barrett_reduce_element(vec.elements[i]); - vec.elements[i] = vi; - hax_lib::fstar!("assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert(Spec.Utils.is_i16b 3328 vi); - assert(Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"); + v.elements[i] = barrett_reduce_element(v.elements[i]); } - vec + + v } /// Signed Montgomery Reduction @@ -228,84 +144,29 @@ pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: /// -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) /// -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// -#[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i32b (3328 * pow2 16) value ")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b (3328 + 1665) result /\\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\\ - v result % 3329 == (v value * 169) % 3329")))] +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. +#[cfg_attr(hax, hax_lib::requires(value >= -(FIELD_MODULUS as i32) * MONTGOMERY_R && value <= (FIELD_MODULUS as i32) * MONTGOMERY_R))] +#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))] pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { // This forces hax to extract code for MONTGOMERY_R before it extracts code // for this function. The removal of this line is being tracked in: // https://github.com/cryspen/libcrux/issues/134 let _ = MONTGOMERY_R; + //hax_debug_assert!( + // value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R, + // "value is {value}" + //); + let k = (value as i16) as i32 * (INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); - hax_lib::fstar!("assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert(v k == (v value @% pow2 16) * 62209); - assert(v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert(v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert(v (cast (cast (k <: i32) <: i16) <: i32) >= -pow2 15); - assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)"); let k_times_modulus = (k as i16 as i32) * (FIELD_MODULUS as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)"); + let c = (k_times_modulus >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert(v c == v k_times_modulus / pow2 16); - assert(Spec.Utils.is_i16b 1665 c)"); let value_high = (value >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert(Spec.Utils.is_i16b 3328 value_high)"); - let res = value_high - c; - hax_lib::fstar!("assert(Spec.Utils.is_i16b (3328 + 1665) res)"); - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)"); - hax_lib::fstar!("calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) (pow2 16) 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0)"); - hax_lib::fstar!("calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329 ; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) (pow2 16 * 169) 3329} - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16)} - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)} - (v value * 169) % 3329; - }"); - res + + value_high - c } /// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to @@ -317,37 +178,17 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 300")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 fer")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == (v fe * v fer * 169) % 3329")))] pub(crate) fn montgomery_multiply_fe_by_fer( fe: FieldElement, fer: FieldElementTimesMontgomeryR, ) -> FieldElement { - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer"); - let product = (fe as i32) * (fer as i32); - montgomery_reduce_element(product) + montgomery_reduce_element((fe as i32) * (fer as i32)) } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 c")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(" -Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ -(forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) % 3329 == - (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))")))] -pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub(crate) fn montgomery_multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> - (let vecj = Seq.index ${vec}.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\\ - v vecj % 3329 == (v (Seq.index ${_vec0}.f_elements j) * v c * 169) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c) + v.elements[i] = montgomery_multiply_fe_by_fer(v.elements[i], c) } - vec + v } diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs index ae3be0ab3..a81414120 100644 --- a/libcrux-ml-kem/src/vector/portable/compress.rs +++ b/libcrux-ml-kem/src/vector/portable/compress.rs @@ -109,36 +109,12 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::before(" -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) -"))] -#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")] -#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\ - v (Seq.index ${a}.f_elements i) < 3329"))] -#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${result}.f_elements.[ sz i ] <: i16) < 2"))] -pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. - (cast ($FIELD_MODULUS) <: u16))"); +pub(crate) fn compress_1(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < 2)") }); - hax_lib::fstar!("compress_message_coefficient_range_helper (cast (${a}.f_elements.[ $i ]) <: u16)"); - a.elements[i] = compress_message_coefficient(a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < 2)"); + v.elements[i] = compress_message_coefficient(v.elements[i] as u16) as i16; } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < 2)"); - a + v } #[inline(always)] @@ -158,17 +134,9 @@ pub(crate) fn compress(mut a: PortableVector) -> Po hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. (cast ($FIELD_MODULUS) <: u16))"); for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))") }); a.elements[i] = compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"); } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"); a } diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs index 35abf02ce..d6eb66396 100644 --- a/libcrux-ml-kem/src/vector/portable/ntt.rs +++ b/libcrux-ml-kem/src/vector/portable/ntt.rs @@ -2,229 +2,111 @@ use super::arithmetic::*; use super::vector_type::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"))] -#[hax_lib::ensures(|result| fstar!("(forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\\ - Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==> - (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\\ - Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\\ - Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let t = montgomery_multiply_fe_by_fer(vec.elements[j], zeta); - hax_lib::fstar!("assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))"); - let a_minus_t = vec.elements[i] - t; - hax_lib::fstar!(" - calc (==) { - v $a_minus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - v ${t}) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - let a_plus_t = vec.elements[i] + t; - hax_lib::fstar!(" - calc (==) { - v a_plus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + v $t) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - vec.elements[j] = a_minus_t; - vec.elements[i] = a_plus_t; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t)"); +pub(crate) fn ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let t = montgomery_multiply_fe_by_fer(v.elements[j], zeta); + v.elements[j] = v.elements[i] - t; + v.elements[i] = v.elements[i] + t; } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"))] pub(crate) fn ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 2); - ntt_step(&mut vec, zeta0, 1, 3); - ntt_step(&mut vec, zeta1, 4, 6); - ntt_step(&mut vec, zeta1, 5, 7); - ntt_step(&mut vec, zeta2, 8, 10); - ntt_step(&mut vec, zeta2, 9, 11); - ntt_step(&mut vec, zeta3, 12, 14); - ntt_step(&mut vec, zeta3, 13, 15); - vec + ntt_step(&mut v, zeta0, 0, 2); + ntt_step(&mut v, zeta0, 1, 3); + ntt_step(&mut v, zeta1, 4, 6); + ntt_step(&mut v, zeta1, 5, 7); + ntt_step(&mut v, zeta2, 8, 10); + ntt_step(&mut v, zeta2, 9, 11); + ntt_step(&mut v, zeta3, 12, 14); + ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 4); - ntt_step(&mut vec, zeta0, 1, 5); - ntt_step(&mut vec, zeta0, 2, 6); - ntt_step(&mut vec, zeta0, 3, 7); - ntt_step(&mut vec, zeta1, 8, 12); - ntt_step(&mut vec, zeta1, 9, 13); - ntt_step(&mut vec, zeta1, 10, 14); - ntt_step(&mut vec, zeta1, 11, 15); - vec +pub(crate) fn ntt_layer_2_step(mut v: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { + ntt_step(&mut v, zeta0, 0, 4); + ntt_step(&mut v, zeta0, 1, 5); + ntt_step(&mut v, zeta0, 2, 6); + ntt_step(&mut v, zeta0, 3, 7); + ntt_step(&mut v, zeta1, 8, 12); + ntt_step(&mut v, zeta1, 9, 13); + ntt_step(&mut v, zeta1, 10, 14); + ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - ntt_step(&mut vec, zeta, 0, 8); - ntt_step(&mut vec, zeta, 1, 9); - ntt_step(&mut vec, zeta, 2, 10); - ntt_step(&mut vec, zeta, 3, 11); - ntt_step(&mut vec, zeta, 4, 12); - ntt_step(&mut vec, zeta, 5, 13); - ntt_step(&mut vec, zeta, 6, 14); - ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + ntt_step(&mut v, zeta, 0, 8); + ntt_step(&mut v, zeta, 1, 9); + ntt_step(&mut v, zeta, 2, 10); + ntt_step(&mut v, zeta, 3, 11); + ntt_step(&mut v, zeta, 4, 12); + ntt_step(&mut v, zeta, 5, 13); + ntt_step(&mut v, zeta, 6, 14); + ntt_step(&mut v, zeta, 7, 15); + v } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\\ - (forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\\ - Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let a_minus_b = vec.elements[j] - vec.elements[i]; - let a_plus_b = vec.elements[j] + vec.elements[i]; - hax_lib::fstar!("assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))"); - let o0 = barrett_reduce_element(a_plus_b); - let o1 = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - hax_lib::fstar!(" - calc (==) { - v o0 % 3329; - (==) { } - v a_plus_b % 3329; - (==) { } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc (==) { - v o1 % 3329; - (==) { } - (v a_minus_b * v zeta * 169) % 3329; - (==) { } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % 3329; - }"); - vec.elements[i] = o0; - vec.elements[j] = o1; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1)"); +pub(crate) fn inv_ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let a_minus_b = v.elements[j] - v.elements[i]; + v.elements[i] = barrett_reduce_element(v.elements[i] + v.elements[j]); + v.elements[j] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 2); - inv_ntt_step(&mut vec, zeta0, 1, 3); - inv_ntt_step(&mut vec, zeta1, 4, 6); - inv_ntt_step(&mut vec, zeta1, 5, 7); - inv_ntt_step(&mut vec, zeta2, 8, 10); - inv_ntt_step(&mut vec, zeta2, 9, 11); - inv_ntt_step(&mut vec, zeta3, 12, 14); - inv_ntt_step(&mut vec, zeta3, 13, 15); - hax_lib::fstar!( - "assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"); - vec + inv_ntt_step(&mut v, zeta0, 0, 2); + inv_ntt_step(&mut v, zeta0, 1, 3); + inv_ntt_step(&mut v, zeta1, 4, 6); + inv_ntt_step(&mut v, zeta1, 5, 7); + inv_ntt_step(&mut v, zeta2, 8, 10); + inv_ntt_step(&mut v, zeta2, 9, 11); + inv_ntt_step(&mut v, zeta3, 12, 14); + inv_ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_2_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 4); - inv_ntt_step(&mut vec, zeta0, 1, 5); - inv_ntt_step(&mut vec, zeta0, 2, 6); - inv_ntt_step(&mut vec, zeta0, 3, 7); - inv_ntt_step(&mut vec, zeta1, 8, 12); - inv_ntt_step(&mut vec, zeta1, 9, 13); - inv_ntt_step(&mut vec, zeta1, 10, 14); - inv_ntt_step(&mut vec, zeta1, 11, 15); - vec + inv_ntt_step(&mut v, zeta0, 0, 4); + inv_ntt_step(&mut v, zeta0, 1, 5); + inv_ntt_step(&mut v, zeta0, 2, 6); + inv_ntt_step(&mut v, zeta0, 3, 7); + inv_ntt_step(&mut v, zeta1, 8, 12); + inv_ntt_step(&mut v, zeta1, 9, 13); + inv_ntt_step(&mut v, zeta1, 10, 14); + inv_ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] -pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - inv_ntt_step(&mut vec, zeta, 0, 8); - inv_ntt_step(&mut vec, zeta, 1, 9); - inv_ntt_step(&mut vec, zeta, 2, 10); - inv_ntt_step(&mut vec, zeta, 3, 11); - inv_ntt_step(&mut vec, zeta, 4, 12); - inv_ntt_step(&mut vec, zeta, 5, 13); - inv_ntt_step(&mut vec, zeta, 6, 14); - inv_ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn inv_ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + inv_ntt_step(&mut v, zeta, 0, 8); + inv_ntt_step(&mut v, zeta, 1, 9); + inv_ntt_step(&mut v, zeta, 2, 10); + inv_ntt_step(&mut v, zeta, 3, 11); + inv_ntt_step(&mut v, zeta, 4, 12); + inv_ntt_step(&mut v, zeta, 5, 13); + inv_ntt_step(&mut v, zeta, 6, 14); + inv_ntt_step(&mut v, zeta, 7, 15); + v } /// Compute the product of two Kyber binomials with respect to the @@ -248,109 +130,25 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab /// The NIST FIPS 203 standard can be found at /// . #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 250 --split_queries always --query_stats --ext context_prune")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 8 /\\ Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${out}.f_elements "))] -#[hax_lib::ensures(|()| fstar!(" - Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\\ - (forall k. (k <> 2 * v $i /\\ k <> 2 * v $i + 1) ==> - Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\\ - (let ai = Seq.index ${a}.f_elements (2 * v $i) in - let aj = Seq.index ${a}.f_elements (2 * v $i + 1) in - let bi = Seq.index ${b}.f_elements (2 * v $i) in - let bj = Seq.index ${b}.f_elements (2 * v $i + 1) in - let oi = Seq.index out_future.f_elements (2 * v $i) in - let oj = Seq.index out_future.f_elements (2 * v $i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"))] pub(crate) fn ntt_multiply_binomials( a: &PortableVector, b: &PortableVector, zeta: FieldElementTimesMontgomeryR, i: usize, + j: usize, out: &mut PortableVector, ) { - let ai = a.elements[2*i]; - let bi = b.elements[2*i]; - let aj = a.elements[2*i+1]; - let bj = b.elements[2*i+1]; - hax_lib::fstar!("assert(Spec.Utils.is_i16b 3328 $ai); - assert(Spec.Utils.is_i16b 3328 $bi); - assert(Spec.Utils.is_i16b 3328 $aj); - assert(Spec.Utils.is_i16b 3328 $bj); - assert_norm (3328 * 3328 < pow2 31)"); - - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi"); - let ai_bi = (ai as i32) * (bi as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj"); - let aj_bj_ = (aj as i32) * (bj as i32); - hax_lib::fstar!("assert_norm (3328 * 3328 <= 3328 * pow2 15)"); - let aj_bj = montgomery_reduce_element(aj_bj_); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta"); - let aj_bj_zeta = (aj_bj as i32) * (zeta as i32); - let ai_bi_aj_bj = ai_bi + aj_bj_zeta; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)"); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)"); - let o0 = montgomery_reduce_element(ai_bi_aj_bj); - hax_lib::fstar!("calc ( == ) { - v $o0 % 3329; - ( == ) { () } - (v $ai_bi_aj_bj * 169) % 3329; - ( == ) { assert(v $ai_bi_aj_bj == v $ai_bi + v $aj_bj_zeta) } - ((v $ai_bi + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $ai_bi == v $ai * v $bi) } - (((v $ai * v $bi) + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $aj_bj_zeta == v $aj_bj * v $zeta) } - (((v $ai * v $bi) + (v $aj_bj * v $zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v $ai * v $bi) + (v $aj_bj * v $zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v aj_bj % 3329 == (v $aj_bj_ * 169) % 3329) } - (((v $ai * v $bi) + (((v $aj_bj_ * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v $aj_bj_ == v $aj * v $bj) } - (((v $ai * v $bi) + (((v $aj * v $bj * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v $aj * v $bj * 169) (v $zeta) 3329 } - (((v $ai * v $bi) + (((v $aj * v $bj * 169 * v $zeta) % 3329))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v $ai * v $bi) (v $aj * v $bj * 169 * v $zeta) 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) 169 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) * 169) % 3329; - }"); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj"); - let ai_bj = (ai as i32) * (bj as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi"); - let aj_bi = (aj as i32) * (bi as i32); - let ai_bj_aj_bi = ai_bj + aj_bi; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) "); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)"); - let o1 = montgomery_reduce_element(ai_bj_aj_bi); - hax_lib::fstar!("calc ( == ) { - v $o1 % 3329; - ( == ) { () } - (v $ai_bj_aj_bi * 169) % 3329; - ( == ) { assert(v $ai_bj_aj_bi == v $ai_bj + v $aj_bi) } - ((v $ai_bj + v $aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - }"); - let _out0 = out.elements; - out.elements[2*i] = o0; - out.elements[2*i+1] = o1; - hax_lib::fstar!("assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. (k <> 2 * v i /\\ k <> 2 * v i + 1) ==> - Seq.index out.f_elements k == - Seq.index ${_out0} k)"); + let o0 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[i] as i32) + + (montgomery_reduce_element((a.elements[j] as i32) * (b.elements[j] as i32)) as i32) + * (zeta as i32), + ); + let o1 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[j] as i32) + + (a.elements[j] as i32) * (b.elements[i] as i32), + ); + out.elements[i] = o0; + out.elements[j] = o1; } // #[inline(always)] @@ -369,25 +167,6 @@ pub(crate) fn ntt_multiply_binomials( // } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta0 /\\ - Spec.Utils.is_i16b 1664 $zeta1 /\\ - Spec.Utils.is_i16b 1664 $zeta2 /\\ - Spec.Utils.is_i16b 1664 $zeta3 /\\ - Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (let zetas = Seq.seq_of_list [v zeta0; - v zeta0; v zeta1; - v zeta1; v zeta2; - v zeta2; v zeta3; - v zeta3] in - (forall (i:nat). i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"))] pub(crate) fn ntt_multiply( lhs: &PortableVector, rhs: &PortableVector, @@ -396,31 +175,14 @@ pub(crate) fn ntt_multiply( zeta2: i16, zeta3: i16, ) -> PortableVector { - let nzeta0 = -zeta0; - let nzeta1 = -zeta1; - let nzeta2 = -zeta2; - let nzeta3 = -zeta3; - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta0)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta1)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta2)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta3)"); let mut out = zero(); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta0, 0, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta0, 1, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta1, 2, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta1, 3, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta2, 4, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta2, 5, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta3, 6, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta3, 7, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); + ntt_multiply_binomials(lhs, rhs, zeta0, 0, 1, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta0, 2, 3, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta1, 4, 5, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta1, 6, 7, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta2, 8, 9, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta2, 10, 11, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta3, 12, 13, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta3, 14, 15, &mut out); out } diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs index 13f6f9f33..87dacce97 100644 --- a/libcrux-ml-kem/src/vector/portable/sampling.rs +++ b/libcrux-ml-kem/src/vector/portable/sampling.rs @@ -1,11 +1,6 @@ use crate::vector::FIELD_MODULUS; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(a.len() == 24 && result.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $result_future == Seq.length $result /\\ v $res <= 16") - )] pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize { let mut sampled = 0; for i in 0..a.len() / 3 { diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs index 151c1b31b..e0818dc28 100644 --- a/libcrux-ml-kem/src/vector/portable/serialize.rs +++ b/libcrux-ml-kem/src/vector/portable/serialize.rs @@ -13,135 +13,33 @@ // and code that updates arrays (in the outer functions). use super::vector_type::*; +use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_1_lemma inputs = - serialize_1_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1)) - : squash ( - let inputs = bit_vec_of_int_t_array v 1 in - let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] { - let result0 = (v.elements[0] as u8) | ((v.elements[1] as u8) << 1) | - ((v.elements[2] as u8) << 2) | ((v.elements[3] as u8) << 3) | - ((v.elements[4] as u8) << 4) | ((v.elements[5] as u8) << 5) | - ((v.elements[6] as u8) << 6) | ((v.elements[7] as u8) << 7); - let result1 = (v.elements[8] as u8) | ((v.elements[9] as u8) << 1) | - ((v.elements[10] as u8) << 2) | ((v.elements[11] as u8) << 3) | - ((v.elements[12] as u8) << 4) | ((v.elements[13] as u8) << 5) | - ((v.elements[14] as u8) << 6) | ((v.elements[15] as u8) << 7); - [ - result0, - result1 - ] + let mut result = [0u8; 2]; + for i in 0..8 { + result[0] |= (v.elements[i] as u8) << i; + } + for i in 8..16 { + result[1] |= (v.elements[i] as u8) << (i - 8); + } + result } -//deserialize_1_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_1_bounded_lemma inputs = - admit() -"))] -//deserialize_1_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_1_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] #[inline(always)] pub(crate) fn deserialize_1(v: &[u8]) -> PortableVector { - let result0 = (v[0] & 0x1) as i16; - let result1 = ((v[0] >> 1) & 0x1) as i16; - let result2 = ((v[0] >> 2) & 0x1) as i16; - let result3 = ((v[0] >> 3) & 0x1) as i16; - let result4 = ((v[0] >> 4) & 0x1) as i16; - let result5 = ((v[0] >> 5) & 0x1) as i16; - let result6 = ((v[0] >> 6) & 0x1) as i16; - let result7 = ((v[0] >> 7) & 0x1) as i16; - let result8 = (v[1] & 0x1) as i16; - let result9 = ((v[1] >> 1) & 0x1) as i16; - let result10 = ((v[1] >> 2) & 0x1) as i16; - let result11 = ((v[1] >> 3) & 0x1) as i16; - let result12 = ((v[1] >> 4) & 0x1) as i16; - let result13 = ((v[1] >> 5) & 0x1) as i16; - let result14 = ((v[1] >> 6) & 0x1) as i16; - let result15 = ((v[1] >> 7) & 0x1) as i16; - PortableVector { elements: [ - result0, - result1, - result2, - result3, - result4, - result5, - result6, - result7, - result8, - result9, - result10, - result11, - result12, - result13, - result14, - result15, - ] } + let mut result = zero(); + for i in 0..8 { + result.elements[i] = ((v[0] >> i) & 0x1) as i16; + } + for i in 8..FIELD_ELEMENTS_IN_VECTOR { + result.elements[i] = ((v[1] >> (i - 8)) & 0x1) as i16; + } + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { let result0 = ((v[1] as u8) << 4) | (v[0] as u8); let result1 = ((v[3] as u8) << 4) | (v[2] as u8); @@ -150,55 +48,23 @@ pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { (result0, result1, result2, result3) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_4_lemma inputs = - serialize_4_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4)) - : squash ( - let inputs = bit_vec_of_int_t_array v 4 in - let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_4(v: PortableVector) -> [u8; 8] { let result0_3 = serialize_4_int(&v.elements[0..8]); let result4_7 = serialize_4_int(&v.elements[8..16]); - [ - result0_3.0, - result0_3.1, - result0_3.2, - result0_3.3, - result4_7.0, - result4_7.1, - result4_7.2, - result4_7.3, - ] + let mut result = [0u8; 8]; + result[0] = result0_3.0; + result[1] = result0_3.1; + result[2] = result0_3.2; + result[3] = result0_3.3; + result[4] = result4_7.0; + result[5] = result4_7.1; + result[6] = result4_7.2; + result[7] = result4_7.3; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 4} -"#))] pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x0F) as i16; let v1 = ((bytes[0] >> 4) & 0x0F) as i16; @@ -211,75 +77,31 @@ pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -//deserialize_4_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_4} inputs).f_elements i) 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_4_bounded_lemma inputs = - admit() -"))] -//deserialize_4_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_4_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 8} -"#))] #[inline(always)] pub(crate) fn deserialize_4(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_4_int(&bytes[0..4]); let v8_15 = deserialize_4_int(&bytes[4..8]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] | v[1] << 5) as u8; let r1 = (v[1] >> 3 | v[2] << 2 | v[3] << 7) as u8; @@ -289,57 +111,25 @@ pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_5_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 5)) -// (ensures bit_vec_of_int_t_array (${serialize_5} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 5) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_5_lemma inputs = -// serialize_5_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_5} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 5)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_5_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 5)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 5 in -// let outputs = bit_vec_of_int_t_array (${serialize_5} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_5(v: PortableVector) -> [u8; 10] { let r0_4 = serialize_5_int(&v.elements[0..8]); let r5_9 = serialize_5_int(&v.elements[8..16]); - [ - r0_4.0, - r0_4.1, - r0_4.2, - r0_4.3, - r0_4.4, - r5_9.0, - r5_9.1, - r5_9.2, - r5_9.3, - r5_9.4, - ] + let mut result = [0u8; 10]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 5} -"#))] pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x1F) as i16; let v1 = ((bytes[1] & 0x3) << 3 | (bytes[0] >> 5)) as i16; @@ -352,64 +142,31 @@ pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_5_lemma (inputs: t_Array u8 (sz 10)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_5_lemma inputs = -// deserialize_5_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_5_bit_vec_lemma (v: t_Array u8 (sz 10)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_5} v).f_elements 5 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] #[inline(always)] pub(crate) fn deserialize_5(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_5_int(&bytes[0..5]); let v8_15 = deserialize_5_int(&bytes[5..10]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 4} -"#))] pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[1] & 0x3F) as u8) << 2 | ((v[0] >> 8) & 0x03) as u8; @@ -419,51 +176,43 @@ pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_10_lemma inputs = - serialize_10_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10)) - : squash ( - let inputs = bit_vec_of_int_t_array v 10 in - let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_10(v: PortableVector) -> [u8; 20] { let r0_4 = serialize_10_int(&v.elements[0..4]); let r5_9 = serialize_10_int(&v.elements[4..8]); let r10_14 = serialize_10_int(&v.elements[8..12]); let r15_19 = serialize_10_int(&v.elements[12..16]); - [ - r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, r10_14.0, - r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4, - ] + // Here we could also do, the following, but it slows F* down: + // [r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, + // r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, + // r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4, + // r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4 ] + // If we can fix the F* for this, the code would be more compact. + let mut result = [0u8; 20]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result[10] = r10_14.0; + result[11] = r10_14.1; + result[12] = r10_14.2; + result[13] = r10_14.3; + result[14] = r10_14.4; + result[15] = r15_19.0; + result[16] = r15_19.1; + result[17] = r15_19.2; + result[18] = r15_19.3; + result[19] = r15_19.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let r0 = ((bytes[1] as i16 & 0x03) << 8 | (bytes[0] as i16 & 0xFF)) as i16; let r1 = ((bytes[2] as i16 & 0x0F) << 6 | (bytes[1] as i16 >> 2)) as i16; @@ -476,75 +225,31 @@ pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (r0, r1, r2, r3, r4, r5, r6, r7) } -//deserialize_10_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_10_bounded_lemma inputs = - admit() -"))] -//deserialize_10_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_10_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 20} -"#))] #[inline(always)] pub(crate) fn deserialize_10(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_10_int(&bytes[0..10]); let v8_15 = deserialize_10_int(&bytes[10..20]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) { let r0 = v[0] as u8; let r1 = ((v[1] & 0x1F) as u8) << 3 | ((v[0] >> 8) as u8); @@ -560,119 +265,76 @@ pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8 (r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_11_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 11)) -// (ensures bit_vec_of_int_t_array (${serialize_11} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 11) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_11_lemma inputs = -// serialize_11_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_11} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 11)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_11_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 11)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 11 in -// let outputs = bit_vec_of_int_t_array (${serialize_11} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_11(v: PortableVector) -> [u8; 22] { let r0_10 = serialize_11_int(&v.elements[0..8]); let r11_21 = serialize_11_int(&v.elements[8..16]); - [ - r0_10.0, r0_10.1, r0_10.2, r0_10.3, r0_10.4, r0_10.5, r0_10.6, r0_10.7, r0_10.8, r0_10.9, r0_10.10, - r11_21.0, r11_21.1, r11_21.2, r11_21.3, r11_21.4, r11_21.5, r11_21.6, r11_21.7, r11_21.8, r11_21.9, r11_21.10, - ] + let mut result = [0u8; 22]; + result[0] = r0_10.0; + result[1] = r0_10.1; + result[2] = r0_10.2; + result[3] = r0_10.3; + result[4] = r0_10.4; + result[5] = r0_10.5; + result[6] = r0_10.6; + result[7] = r0_10.7; + result[8] = r0_10.8; + result[9] = r0_10.9; + result[10] = r0_10.10; + result[11] = r11_21.0; + result[12] = r11_21.1; + result[13] = r11_21.2; + result[14] = r11_21.3; + result[15] = r11_21.4; + result[16] = r11_21.5; + result[17] = r11_21.6; + result[18] = r11_21.7; + result[19] = r11_21.8; + result[20] = r11_21.9; + result[21] = r11_21.10; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 11} -"#))] pub(crate) fn deserialize_11_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { - let r0 = (bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16; - let r1 = (bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3); - let r2 = (bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6); - let r3 = (bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1); - let r4 = (bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4); - let r5 = (bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7); - let r6 = (bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2); - let r7 = ((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5); + let r0 = ((bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16) as i16; + let r1 = ((bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3)) as i16; + let r2 = ((bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6)) + as i16; + let r3 = ((bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1)) as i16; + let r4 = ((bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4)) as i16; + let r5 = + ((bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7)) as i16; + let r6 = ((bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2)) as i16; + let r7 = (((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5)) as i16; (r0, r1, r2, r3, r4, r5, r6, r7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_11_lemma (inputs: t_Array u8 (sz 22)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_11_lemma inputs = -// deserialize_11_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_11_bit_vec_lemma (v: t_Array u8 (sz 22)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_11} v).f_elements 11 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 22} -"#))] #[inline(always)] pub(crate) fn deserialize_11(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_11_int(&bytes[0..11]); let v8_15 = deserialize_11_int(&bytes[11..22]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[0] >> 8) | ((v[1] & 0x0F) << 4)) as u8; @@ -680,35 +342,6 @@ pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { (r0, r1, r2) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_12_lemma inputs = - serialize_12_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12)) - : squash ( - let inputs = bit_vec_of_int_t_array v 12 in - let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r0_2 = serialize_12_int(&v.elements[0..2]); @@ -719,22 +352,35 @@ pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r15_17 = serialize_12_int(&v.elements[10..12]); let r18_20 = serialize_12_int(&v.elements[12..14]); let r21_23 = serialize_12_int(&v.elements[14..16]); - [ - r0_2.0, r0_2.1, r0_2.2, - r3_5.0, r3_5.1, r3_5.2, - r6_8.0, r6_8.1, r6_8.2, - r9_11.0, r9_11.1, r9_11.2, - r12_14.0, r12_14.1, r12_14.2, - r15_17.0, r15_17.1, r15_17.2, - r18_20.0, r18_20.1, r18_20.2, - r21_23.0, r21_23.1, r21_23.2, - ] + let mut result = [0u8; 24]; + result[0] = r0_2.0; + result[1] = r0_2.1; + result[2] = r0_2.2; + result[3] = r3_5.0; + result[4] = r3_5.1; + result[5] = r3_5.2; + result[6] = r6_8.0; + result[7] = r6_8.1; + result[8] = r6_8.2; + result[9] = r9_11.0; + result[10] = r9_11.1; + result[11] = r9_11.2; + result[12] = r12_14.0; + result[13] = r12_14.1; + result[14] = r12_14.2; + result[15] = r15_17.0; + result[16] = r15_17.1; + result[17] = r15_17.2; + result[18] = r18_20.0; + result[19] = r18_20.1; + result[20] = r18_20.2; + result[21] = r21_23.0; + result[22] = r21_23.1; + result[23] = r21_23.2; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 3} -"#))] pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { let byte0 = bytes[0] as i16; let byte1 = bytes[1] as i16; @@ -744,47 +390,6 @@ pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { (r0, r1) } -//deserialize_12_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_12} inputs).f_elements i) 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_12_bounded_lemma inputs = - admit() -"))] -//deserialize_12_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_12_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 24} -"#))] #[inline(always)] pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v0_1 = deserialize_12_int(&bytes[0..3]); @@ -795,22 +400,22 @@ pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v10_11 = deserialize_12_int(&bytes[15..18]); let v12_13 = deserialize_12_int(&bytes[18..21]); let v14_15 = deserialize_12_int(&bytes[21..24]); - PortableVector { elements: [ - v0_1.0, - v0_1.1, - v2_3.0, - v2_3.1, - v4_5.0, - v4_5.1, - v6_7.0, - v6_7.1, - v8_9.0, - v8_9.1, - v10_11.0, - v10_11.1, - v12_13.0, - v12_13.1, - v14_15.0, - v14_15.1, - ] } + let mut re = zero(); + re.elements[0] = v0_1.0; + re.elements[1] = v0_1.1; + re.elements[2] = v2_3.0; + re.elements[3] = v2_3.1; + re.elements[4] = v4_5.0; + re.elements[5] = v4_5.1; + re.elements[6] = v6_7.0; + re.elements[7] = v6_7.1; + re.elements[8] = v8_9.0; + re.elements[9] = v8_9.1; + re.elements[10] = v10_11.0; + re.elements[11] = v10_11.1; + re.elements[12] = v12_13.0; + re.elements[13] = v12_13.1; + re.elements[14] = v14_15.0; + re.elements[15] = v14_15.1; + re } diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs index 94dde4e71..266b738e8 100644 --- a/libcrux-ml-kem/src/vector/portable/vector_type.rs +++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs @@ -1,6 +1,6 @@ use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -/// Values having this type hold a representative 'x' of the Kyber field. +/// Values having this type hold a representative 'x' of the ML-DSA field. /// We use 'fe' as a shorthand for this type. pub(crate) type FieldElement = i16; @@ -9,8 +9,8 @@ pub struct PortableVector { pub(crate) elements: [FieldElement; FIELD_ELEMENTS_IN_VECTOR], } +#[allow(non_snake_case)] #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Seq.create 16 0s"))] pub fn zero() -> PortableVector { PortableVector { elements: [0i16; FIELD_ELEMENTS_IN_VECTOR], @@ -18,16 +18,13 @@ pub fn zero() -> PortableVector { } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result} == ${x}.f_elements"))] -pub fn to_i16_array(x: PortableVector) -> [i16; 16] { - x.elements -} - -#[inline(always)] -#[hax_lib::requires(array.len() == 16)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == $array"))] pub fn from_i16_array(array: &[i16]) -> PortableVector { PortableVector { elements: array[0..16].try_into().unwrap(), } } + +#[inline(always)] +pub fn to_i16_array(x: PortableVector) -> [i16; 16] { + x.elements +} diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs index 208e58b51..6d4654377 100644 --- a/libcrux-ml-kem/src/vector/traits.rs +++ b/libcrux-ml-kem/src/vector/traits.rs @@ -2,214 +2,65 @@ pub const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353; pub const FIELD_MODULUS: i16 = 3329; pub const FIELD_ELEMENTS_IN_VECTOR: usize = 16; pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R -pub const BARRETT_SHIFT: i32 = 26; -pub const BARRETT_R: i32 = 1 << BARRETT_SHIFT; -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Repr: Copy + Clone { - #[requires(true)] - fn repr(x: Self) -> [i16; 16]; -} - -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Operations: Copy + Clone + Repr { +pub trait Operations: Copy + Clone { #[allow(non_snake_case)] - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Seq.create 16 0s"))] fn ZERO() -> Self; - - #[requires(array.len() == 16)] - #[ensures(|result| fstar!("f_repr $result == $array"))] + fn from_i16_array(array: &[i16]) -> Self; - - #[requires(true)] - #[ensures(|result| fstar!("f_repr $x == $result"))] fn to_i16_array(x: Self) -> [i16; 16]; // Basic arithmetic - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] fn add(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] fn sub(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${vec}) i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self; + fn multiply_by_constant(v: Self, c: i16) -> Self; // Bitwise operations - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"))] fn shift_right(v: Self) -> Self; // fn shift_left(v: Self) -> Self; // Modular operations - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"))] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (f_repr $vector)"))] - fn barrett_reduce(vector: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b 1664 c"))] + fn barrett_reduce(v: Self) -> Self; fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; // Compression - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329"))] - #[ensures(|result| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"))] - fn compress_1(a: Self) -> Self; - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329)"))] - #[ensures(|result| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self; - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] + fn compress_1(v: Self) -> Self; + fn compress(v: Self) -> Self; fn decompress_ciphertext_coefficient(v: Self) -> Self; // NTT - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta/\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; // Serialization and deserialization - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"))] fn serialize_1(a: Self) -> [u8; 2]; - #[requires(a.len() == 2)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"))] fn deserialize_1(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"))] fn serialize_4(a: Self) -> [u8; 8]; - #[requires(a.len() == 8)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"))] fn deserialize_4(a: &[u8]) -> Self; fn serialize_5(a: Self) -> [u8; 10]; - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"))] fn serialize_10(a: Self) -> [u8; 20]; - #[requires(a.len() == 20)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"))] fn deserialize_10(a: &[u8]) -> Self; fn serialize_11(a: Self) -> [u8; 22]; - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"))] fn serialize_12(a: Self) -> [u8; 24]; - #[requires(a.len() == 24)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"))] fn deserialize_12(a: &[u8]) -> Self; - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] - fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; -} - -#[cfg(not(hax))] -pub trait Operations: Copy + Clone { - #[allow(non_snake_case)] - fn ZERO() -> Self; - fn from_i16_array(array: &[i16]) -> Self; - fn to_i16_array(x: Self) -> [i16; 16]; - fn add(lhs: Self, rhs: &Self) -> Self; - fn sub(lhs: Self, rhs: &Self) -> Self; - fn multiply_by_constant(v: Self, c: i16) -> Self; - fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - fn shift_right(v: Self) -> Self; - fn cond_subtract_3329(v: Self) -> Self; - fn barrett_reduce(vector: Self) -> Self; - fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; - fn compress_1(v: Self) -> Self; - fn compress(v: Self) -> Self; - fn decompress_ciphertext_coefficient(v: Self) -> Self; - fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) - -> Self; - fn serialize_1(a: Self) -> [u8; 2]; - fn deserialize_1(a: &[u8]) -> Self; - fn serialize_4(a: Self) -> [u8; 8]; - fn deserialize_4(a: &[u8]) -> Self; - fn serialize_5(a: Self) -> [u8; 10]; - fn deserialize_5(a: &[u8]) -> Self; - fn serialize_10(a: Self) -> [u8; 20]; - fn deserialize_10(a: &[u8]) -> Self; - fn serialize_11(a: Self) -> [u8; 22]; - fn deserialize_11(a: &[u8]) -> Self; - fn serialize_12(a: Self) -> [u8; 24]; - fn deserialize_12(a: &[u8]) -> Self; fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; } diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index d76bbd9ca..85ed0be95 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -20,7 +20,7 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" # This is only required for verification. # The hax config is set by the hax toolchain. [target.'cfg(hax)'.dependencies] -hax-lib.workspace = true +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] simd128 = [] diff --git a/libcrux-sha3/proofs/fstar/extraction/Makefile b/libcrux-sha3/proofs/fstar/extraction/Makefile deleted file mode 100644 index ec420d509..000000000 --- a/libcrux-sha3/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/proofs/fstar/extraction-edited/Makefile b/proofs/fstar/extraction-edited/Makefile index ec420d509..6b294a42d 100644 --- a/proofs/fstar/extraction-edited/Makefile +++ b/proofs/fstar/extraction-edited/Makefile @@ -1 +1,150 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + +ifeq ($(OTHERFLAGS),$(subst --admit_smt_queries true,,$(OTHERFLAGS))) +FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints +else +FSTAR_HINTS ?= --use_hints --use_hint_hashes +endif + +VERIFIED = \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +UNVERIFIED = + + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = $(FSTAR_HINTS) \ + --cmi \ + --warn_error -331 \ + --warn_error -321 \ + --warn_error -274 \ + --query_stats \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +# --log_queries \ +# --z3version 4.12.3 \ +# --smtencoding.l_arith_repr native \ +# --smtencoding.nl_arith_repr native \ + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* diff --git a/proofs/fstar/extraction-secret-independent/Makefile b/proofs/fstar/extraction-secret-independent/Makefile index ec420d509..3c4a3f008 100644 --- a/proofs/fstar/extraction-secret-independent/Makefile +++ b/proofs/fstar/extraction-secret-independent/Makefile @@ -1 +1,134 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar-secret-integers +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +SECRET_INDEPENDENT = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +SECRET_INDEPENDENT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(SECRET_INDEPENDENT))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(SECRET_INDEPENDENT) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --admit_smt_queries true \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(SECRET_INDEPENDENT_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(SECRET_INDEPENDENT_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/proofs/fstar/extraction/Makefile b/proofs/fstar/extraction/Makefile index ec420d509..763274af1 100644 --- a/proofs/fstar/extraction/Makefile +++ b/proofs/fstar/extraction/Makefile @@ -1 +1,127 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +VERIFIED = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fst + + +UNVERIFIED = \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Digest.fsti \ + Libcrux.Digest.Incremental_x4.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fst + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) ../../../sys/platform/proofs/fstar/extraction/ + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti index 95dad6932..e8713dad5 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst deleted file mode 100644 index 0e4db4e49..000000000 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst +++ /dev/null @@ -1,69 +0,0 @@ -module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid(leaf: int) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid_count( - leaf: int, - sub_leaf: int, -) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid_count"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 968a5585c..0b77def1e 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index 5f6602af9..9c1755073 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.4 */ +/* automatically generated by rust-bindgen 0.69.5 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136;